[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Updated version of XACML JSON profile
Hi David, Some thoughts on access-subject. If people are struggling with the name, perhaps it is inherently unclear and should be changed in the core spec? If people are having trouble with it in the JSON version, wouldn’t they also have the same trouble in the XML version? After all, it is the same concept, same name, and so on. I know that in the 5+ months I’ve been working with XACML, whenever I see “access-subject” I always (and still) say “wait a minute, is that the ‘accessing’ (‘requesting’) subject or the ‘accessed’ (‘target’) subject” and have to look at the conformance tests to figure it out. Come to think of it, wouldn’t “requesting-subject” be a better name for this field in the core spec? Re-reading the core spec, I see that “Subject = An actor whose attributes may be referenced by a predicate”. This is intentionally ambiguous because any particular policy and request may have multiple actors involved. Therefore it would seem that using the word “subject” as the name of a field is fundamentally unclear because “Subject” is a concept (a.k.a “an Actor”), not an identification of a specific instance of that concept (e.g. “the actor who is trying to access this information”. “the actor who authorized this access”, “the actor who paid for the access”, “the actor whose data is being accessed”, etc. ). Any field in the actual Policies and Requests needs to identify a specific type of actor to avoid ambiguity. My other thought is that we really should not support both short names. If we are going to special-case this one name (yuck), then we should explicitly map it to one name. The point of consistency (other than the human-readability/ease-of-understanding improvement) is to allow simple algorithmic processing, and if the receiver of a message needs to handle both names we don’t gain anything by including the second name because the code still needs to special-case the non-standard version. Thanks, Glenn From: David Brossard [mailto:david.brossard@axiomatics.com] Hi Glenn, Thanks for this additional round of comments. Please find my comments inline. On Tue, Mar 25, 2014 at 5:23 PM, GRIFFIN, GLENN (GLENN) <glenngriffin@research.att.com> wrote: Hi David, Thank you for all the work you’ve done on the spec. It is much cleaner now. A few minor notes: - 3.2.1 I would recommend that another paragraph be put into this section: “The name of the XACML XML ‘Attributes’ element has been changed in JSON to the ‘Category’ object. The name has been changed to make the purpose of the object clearer.” (In other words, because this is the only name that gets changed from the XACML core spec, you should elevate it’s importance and explain why it needs to be different from the core terminology. As I mentioned before, when you have people working separately on XML and JSON versions this can become a communication problem. It is also a learning-curve issue for newbies like me. It will probably also cause some confusion in these forums for that reason. Just for consistency I think it should be left as ‘Attributes’, but ‘Category’ is so much clearer that I think I’ve lost that battle. J ) Yes, fixed.
No, it is correct as it is. I realize my point wasn't clear. The point is that, in XACML, the order of information (be it categories or attributes) has no impact on the semantics of a XACML request. Therefore the serialized version (be it JSON or XML) can ignore the order.
Fixed: changed to 3.3.1.
Fixed.
As per Steven Legg's comments, we will align the core spec with the profile.
Fixed
I am not sure what to do here. I agree with you yet at the same time, I see how much customers struggle with the name access-subject. I'll bring it up on the XACML TC list. We can support both names too.
Fixed.
Fixed
My pleasure. Your comments have been critical to the quality of the profile. I will upload WD17 once we have agreed in the TC whether we should:
Cheers, David.
-- David Brossard, M.Eng, SCEA, CSTP Support: https://support.axiomatics.com |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]