OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml][schema] 20-5 concall minutes

Title: Next F2F meeting...
Prof. Ernesto Damiani
Dipartimento di Tecnologie dell'Informazione
Universita' di Milano - Polo di Crema
Via Bramante 65
26013 Crema, Italia
tel +39-0373-898240
fax +39-0373-898253
PArticipants: anne, simon, norman, ernesto, konstantin

Simon illustrates his proposal about attribute designator syntax that was sent to the list. No big change to the schema is required. The main points of the proposals are 
1. Different declarations for attribute designators
 differentiating it in subject attribute designator, resource attribute designator, etc. This would already delimit the scope, as each of these designators will implicitly point to different portions of request context. 

2.  A single attribute-designator
element equipped with an additional '@kind' attribute with  values
3. A 'selector' element that will use arbitrary xpath expression to point 
into the context.

Anne comments that single subject is a oversimplification, and it must be clarified how the proposal deals with multiple subjects,
Simon explains that the main problem with multiple and complex subject is that we have not decided a syntax for the holder yet.
Anne proposed to allow a XPath as a value of the holder. 

It is agreed to consider points 1 and 3 of Simon proposal for a formal approval next concall. Meanwhile comments are welcome.
Simon and Ernesto added that we should not overdo it with XPaths. We should at least recommend that only the child axis is used. Also type conversion should be used with care it may introduce unexpected results. A clear, non-ambiguous explanation of the kind of XPath that we allow in XACML policies should be added to the specs.

Also controlling the overload of the equal operator and defining its behavior is crucial, since one or both sides of a comparison can now be XPaths into the XACML context. How can we control the outcome? It is necessary to check implicit type conversions between XPaths and literals etc.

Simon observes that being able to designate attributes of multiple subjects does not address the fundamental problem with the concept of multiple subjects, namely, what is the relationship between them ? E.g., how can we express subject equivalence? 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC