[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] [schema] {PolicySet|Policy|Rule}Designator issue
PolicySetDesignator, PolicyDesignator, and RuleDesignator were intended to be a way to include a PolicySet, Policy, or Rule by reference. This might be due to the referenced entity being defined in another XML document, or due to it being defined by another Policy Administration Point, or due to it being located in a database from which it is to be selected as needed. We also intended to allow (but not require) referenced PolicySets and Policies to be encapsulated in a SAML assertion, which in turn might be signed. The draft-xacml-schema-policy-15g.xsd definition of these types has some problems in supporting the intended functionality, particularly for PolicySetDesignatorType and PolicyDesignatorType: <xs:complexType name="PolicySetDesignatorType"> <xs:sequence> <xs:element name="PolicySetId" type="xs:anyURI" minOccurs="0"/> <xs:element name="PolicySetAssertion" type="saml:AssertionType"/> </xs:sequence> </xs:complexType> <!-- --> <xs:complexType name="PolicyDesignatorType"> <xs:sequence> <xs:element name="PolicyId" type="xs:anyURI" minOccurs="0"/> <xs:element name="PolicyAssertion" type="saml:AssertionType"/> </xs:sequence> </xs:complexType> These current definitions do not support remote references at all: they force in-line inclusion of a SAML assertion. This also forces support for ALL of SAML by compliant XACML PDPs, which is not our intent! RECOMMENDATIONS: 1. Treat PolicySet, Policy, and Rule Designators the same way we treat AttributeDesignators: describe the element(s) to be obtained using an XPATH expression. 2. Specify in the text that the XPATH expression must point to a valid PolicySet, Policy, or Rule element, or to a SAML assertion that encapsulates a valid PolicySet, or Policy. 3. Retain the optional "RuleDigest" element for RuleDesignatorType, since we do not support Rules in SAML assertions. 4. Make it clear that support for saml:Assertion is not mandatory-to-implement. PROPOSED SCHEMA: <xs:complexType name="PolicySetDesignatorType"> <xs:attribute name="Designator" type="xs:anyURI" use="required"/> <xs:attribute name="DataType" type="xacml:PolicySetDesignatorValueType use="required/> <!-- Designator must be a legal XPath expression --> </xs:complexType> What I want to do is restrict the DataType to be an xacml:PolicySet, an xacml:Policy, or a saml:Assertion. The following type may not do what I intend, but it is a start: <xs:simpleType name="PolicySetDesignatorValueType"> <xs:restriction base="xs:string"> <xs:enumeration value="xacml:PolicySet"> <xs:enumeration value="xacml:Policy"> <xs:enumeration value="saml:Assertion"> <!-- Assertion must encapsulate an xacml:PolicySet or xacml:Policy --> <!-- support for saml:Assertion is optional --> </xs:restriction> </xs:simpleType> <!-- --> <xs:complexType name="PolicyDesignatorType"> <xs:attribute name="Designator" type="xs:anyURI" use="required"/> <xs:attribute name="DataType" type="xacml:PolicyDesignatorValueType use="required/> <!-- Designator must be a legal XPath expression --> </xs:complexType> <xs:simpleType name="PolicyDesignatorValueType"> <xs:restriction base="xs:string"> <xs:enumeration value="xacml:Policy"> <xs:enumeration value="xacml:Rule"> <xs:enumeration value="saml:Assertion"> <!-- Assertion must encapsulate an xacml:Policy --> <!-- support for saml:Assertion is optional --> </xs:restriction> </xs:simpleType> <-- --> <xs:complexType name="RuleDesignatorType"> <xs:sequence> <xs:element name="RuleDigest" minOccurs="0"> <xs:complexType> <xs:attribute name="DigestAlgId" type="xs:string" default="SHA-1"/> <xs:attribute name="Base64Digest" type="xs:string"/> </xs:complexType> </xs:element> </xs:sequence> <xs:attribute name="Designator" type="xs:anyURI" use="required"/> <xs:attribute name="DataType" type="xacml:RuleDesignatorValueType use="required/> <!-- Designator must be a legal XPath expression that selects an xacml:Rule element --> </xs:complexType> Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC