RE: [xacml-dev] XACML 2

["Diego M. Gonzalez" <diegog@lagash.com>]

Thank you Seth,

My current plans for the next version of XACML.NET is supporting current
.Net version and the next one (aka "Whidbey") (the Microsoft's "Tiger"
:) ), and I'm using this implementation also to test the new framework,
language improvements, and how to integrate with the previous version.
On the other hand... my Java days are over now... It was a great time in
the past... But I meet the power of the dark side :)
Anyway if you think that I can help you in some way (like implementation
decissions, and specification intepretations that may differ, etc), feel
free to contact me.

For the moment I'm planning supporting both versions with the same code
base. And the version of the policy will be determing the evaluation
behavior I mean when a 2.0 policy is used to evaluate the 2.0 evaluation
will be performed. if I found some requirement in 2.0 that can only be
provided by a 2.0 context, and the context is 1.x I'll invalidate the
evaluation context (rule, policy, etc) with an error. But I don't want
to make this "implementation specific".

I have not go throug the entire spec, so I'll do that this week 

Thanks,
Diego Gonzalez
Lagash Systems SA

-----Original Message-----
From: Seth Proctor [mailto:Seth.Proctor@Sun.COM] 
Sent: Tuesday, September 21, 2004 5:37 PM
To: Diego M. Gonzalez
Cc: xacml-dev@lists.oasis-open.org
Subject: Re: [xacml-dev] XACML 2


Hi Diego.

> I'm having some free time in the next weeks se I'll like to know if 
> anybody have started with a 2.0 implementation. If so how do you 
> manage the 1.1 and 2.0 differences and schema versioning issues (i.e.
> what happens if a 1.0 Context is evaluated using a 2.0 Policy, and 
> issues like that).

I am just starting to work on supporting 2.0 in my SunXACML project. In
fact, I'm about to send mail to the sunxacml-discuss list asking for
volunteers :) If you'd like to get involved, let me know.

You raise some good questions here. It's not entirely clear how this is
supposed to happen. In theory, the important boundries haven't changed
(eg, decisions, request formats, Policy[Set] as top-level entity), so a
1.0 request should be valid with a 2.0 policy, and a 2.0 policy should
be able to reference a 1.x policy. I can't think of any rules about this
in the 2.0 spec off the top of my head, but I'll poke around. For my
project, I plan to be as flexible about this as possible.

> Is there any document with all the differences between 1.1 and 2.0 
> wc-current? Because the differences are only available comparing the 
> last version.

No. There was supposed to be a writeup, but it didn't happen (I think
the person who owned this item got too busy with other stuff). I have
thought about writing this, but I haven't had the time. If you wanted to
do this, I think it would be valuable, and I'd be happy to provide some
assistance. I did recently go through the exercise of doing a complete
review of the 2.0 draft, so I have a reasonable sense of what changed.


seth