[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-comment] XACML 3.0 core spec - invalid example policy in section 4.1.1
Thanks Cyril. I've added these issues to the TC's errata wiki so that they will not be forgotten next time we issue errata or produce a new version. The errors are unfortunate, but since the examples are non-normative there should be no doubt about which URIs are the valid ones. Regards, Steven On 26/07/2019 10:53 pm, DANGERVILLE Cyril wrote:
Hello, one of our AuthzForce users made us realize that the very first example of policy in the XACML 3.0 spec (section 4.1.1) is **not valid** : http://docs.oasis-open.org/xacml/3.0/errata01/os/xacml-3.0-core-spec-errata01-os-complete.html#_Toc489959499 The RuleCombingAlgId is **identifier:rule-combining-algorithm:deny-overrides** whereas it should be **urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides**. Then I checked for other such basic yet sneaky mistakes (quite frustrating and not good-looking for newbies I guess), and noticed we are still using legacy/deprecated algorithm identifiers in examples of section 4.2.4, in particular: â*urn:oasis:names:tc:xacml:*1.0*:rule-combining-algorithm:deny-overridesâ*, instead of â*urn:oasis:names:tc:xacml:*3.0*:rule-combining-algorithm:deny-overrides*â; and same issue for the policy combining alg equivalent. Is that a good thing for standard examples? I only checked the Policy/RuleCombiningAlgId with my poor eyes but I guess we should pass all policy/rule examples through a proper XACML validator/engine again at some point. For the XACML TC to consider for next version. KR, Cyril [@@ OPEN @@] Cyril Dangerville Security Architect, CISSP THALES â +33 (0)1 69 41 59 66 âTHALES, Campus Polytechnique, 1 avenue Augustin Fresnel, 91767 PALAISEAU, France â www.thalesgroup.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]