OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] Issues about XACML Request Context schema


On 9 July, Michiharu Kudoh writes: [xacml] Issues about XACML Request Context schema
 > 1) In SAML Request, Format attribute in the NameIdentifier element is
 > optional while the same Format attribute of SubjectId element in XACML
 > Context is mandatory. I think the Format attribute of SubjectId element
 > might be optional.

I propose instead that a value of
"urn:oasis:names:tc:xacml:identifiers:Unspecified" be used as the
value of "Format" when it is not otherwise available.

An "anyURI" or "string" name is underspecified, in my opinion,
where it is intended to take on arbitrary values specified
elsewhere.

 > 2) In my sample XSLT transformation, I just copied the whole SAML Evidence
 > element into SubjectAttribute element as an Evidence attribute of the
 > subject in XACML Context. If we take this approach, a Namespace attribute
 > in the AttributeMetaData element in XACML context has no corresponding
 > information in SAML request. However this Namespace attribute is mandatory
 > in XACML. I think the Namespace attribute of AttributeMetaData element
 > might be optional.

Again, I think a "string" AttributeName is underspecified.  Let's use
"urn:oasis:names:tc:xacml:identifiers:Unspecified" as the value
for "AttributeNamespace" when no other value is available.

 > 3) In XACML Context, there is an AuthenticationInfo element in the Subject
 > element that is zero or one occurrence. I think that it is not clear which
 > authentication information in the SAML request corresponds to
 > AuthenticationInfo in the XACML Context. In addition, SAML request may have
 > multiple authentication information about the subject. In that case, single
 > AuthenticationInfo element does not work. Then I think that the occurrence
 > of AuthenticationInfo should be zero to unlimited, or the element itself
 > should be deleted from the XACML context (I mean any authentication
 > information goes into the subject attribute section)

I agree.

 > 4) In XACML Context, Action element has no attribute while Action element
 > in SAML request has Namespace attribute. It seems to me that the action in
 > SAML request is more appropriate format.

I think we treat the Action element namespace as being implied by
the Resource.  I think it would be OK to add an optional
ActionNamespace xml attribute to our Action, however.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC