OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] minutes 27-05

Please correct/integrate
participants: anne ernesto simon michiharu carlisle tim 

0. summarization of previous concall

1. general discussion of |XACML context, ContextPrincipal and its attributes

Anne: in saml we just have one subject, but we need more than one in XACML
Solution: in the AttributeDesignator we can use any syntactical device, either explicit or implicit, to identify the right part of  contextprincipal. There we have multiple subjects each identified by its own tag, whose properties would be identified via  XACML attributes. 
Anne: should PrincipalType have a status of its own or be just another xacml attribute ? 
A discussion follows, the issue is left open. There seem to be consensus on the fact that PrincipalType should be there and its value should be an URI, as per Simon previous proposal.
Anne: How can we solve the problem of denoting relationships between principals, i.e. when dealing with multiple identities referring to the same "entity" ?
Carlisle: they could share values of some xacml attributes.
Simon: or, they could belong to the same "EquivalentPrincipals" tag.
Tim: this can be left to applications and done in a proprietary way
Anne,Ernesto: You must have anyway some sort of syntactic support for expressing relationship between multiple subjects.
Simon: The attribute introduced by Anne could be kept required with a defaultvalue.
We agreed that the holder can be either a name identifier or a XPath expression.
Anne: we need to see a schema before going on 
Tim: we should keep those XPaths under control. However we need a way to say whether we are designating an element or an attribute in the context.
Ernesto: I propose to draw the distinction between implicit pointing in the context, i.e. use the name of the designator to say in which part of the context look for the information, and  explicit: i.e. write an XPath to identify that information.
Which technique shall we adopt?
Anne: we need to see syntax examples to understand whether the distinction is useful or not.
Michiharu reminds everybody that he sent a mail asking whether there should be a Transform element pointing to the xslt rules for creating the XACML context. It was taken out because this could be a configuration option of the PDP.
This is left open to decide.
Anne, Carlisle: transform should be outside the core schema. 

Michiharu mentions his proposal for expressing predicates conditions (see his e-mail) using XPath 1.0 syntax.
Ernesto: delegating the definition of the semantics of comparison between, say, XACML context and literals to XPath processing may be controversial. Simon: I do not fully agree on that.

Discussion of obligations/functions postponed to next con-call.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC