OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] [schema] {PolicySet|Policy|Rule}Designator issue

PolicySetDesignator, PolicyDesignator, and RuleDesignator were
intended to be a way to include a PolicySet, Policy, or Rule by
reference.  This might be due to the referenced entity being
defined in another XML document, or due to it being defined by
another Policy Administration Point, or due to it being located
in a database from which it is to be selected as needed.

We also intended to allow (but not require) referenced PolicySets
and Policies to be encapsulated in a SAML assertion, which in
turn might be signed.

The draft-xacml-schema-policy-15g.xsd definition of these types
has some problems in supporting the intended functionality,
particularly for PolicySetDesignatorType and
PolicyDesignatorType:

	<xs:complexType name="PolicySetDesignatorType">
		<xs:sequence>
			<xs:element name="PolicySetId" type="xs:anyURI" minOccurs="0"/>
			<xs:element name="PolicySetAssertion" type="saml:AssertionType"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:complexType name="PolicyDesignatorType">
		<xs:sequence>
			<xs:element name="PolicyId" type="xs:anyURI" minOccurs="0"/>
			<xs:element name="PolicyAssertion" type="saml:AssertionType"/>
		</xs:sequence>
	</xs:complexType>

These current definitions do not support remote references at
all: they force in-line inclusion of a SAML assertion.  This also
forces support for ALL of SAML by compliant XACML PDPs, which is
not our intent!

RECOMMENDATIONS:

1. Treat PolicySet, Policy, and Rule Designators the same way we
   treat AttributeDesignators: describe the element(s) to be 
   obtained using an XPATH expression.

2. Specify in the text that the XPATH expression must point to a
   valid PolicySet, Policy, or Rule element, or to a SAML
   assertion that encapsulates a valid PolicySet, or Policy.

3. Retain the optional "RuleDigest" element for
   RuleDesignatorType, since we do not support Rules in SAML
   assertions.

4. Make it clear that support for saml:Assertion is not
   mandatory-to-implement.

PROPOSED SCHEMA:

<xs:complexType name="PolicySetDesignatorType">
    <xs:attribute name="Designator" type="xs:anyURI" use="required"/>
    <xs:attribute name="DataType"
           type="xacml:PolicySetDesignatorValueType use="required/>
    <!-- Designator must be a legal XPath expression -->
</xs:complexType>

What I want to do is restrict the DataType to be an
xacml:PolicySet, an xacml:Policy, or a saml:Assertion.  The
following type may not do what I intend, but it is a start:

<xs:simpleType name="PolicySetDesignatorValueType">
    <xs:restriction base="xs:string">
        <xs:enumeration value="xacml:PolicySet">
        <xs:enumeration value="xacml:Policy">
        <xs:enumeration value="saml:Assertion">
        <!-- Assertion must encapsulate an xacml:PolicySet or xacml:Policy -->
        <!-- support for saml:Assertion is optional -->
    </xs:restriction>
</xs:simpleType>
<!-- -->
<xs:complexType name="PolicyDesignatorType">
    <xs:attribute name="Designator" type="xs:anyURI" use="required"/>
    <xs:attribute name="DataType"
           type="xacml:PolicyDesignatorValueType use="required/>
    <!-- Designator must be a legal XPath expression -->
</xs:complexType>
<xs:simpleType name="PolicyDesignatorValueType">
    <xs:restriction base="xs:string">
        <xs:enumeration value="xacml:Policy">
        <xs:enumeration value="xacml:Rule">
        <xs:enumeration value="saml:Assertion">
        <!-- Assertion must encapsulate an xacml:Policy -->
        <!-- support for saml:Assertion is optional -->
    </xs:restriction>
</xs:simpleType>
<-- -->
<xs:complexType name="RuleDesignatorType">
    <xs:sequence>
		<xs:element name="RuleDigest" minOccurs="0">
			<xs:complexType>
				<xs:attribute name="DigestAlgId" type="xs:string" default="SHA-1"/>
				<xs:attribute name="Base64Digest" type="xs:string"/>
			</xs:complexType>
		</xs:element>
    </xs:sequence>
    <xs:attribute name="Designator" type="xs:anyURI" use="required"/>
    <xs:attribute name="DataType"
           type="xacml:RuleDesignatorValueType use="required/>
    <!-- Designator must be a legal XPath expression that selects
         an xacml:Rule element -->
</xs:complexType>

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC