OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Structured names

Title: Structured names

Colleagues - I am adding text to Section 4 (Models) on structured subject-names, resource-names and resources.  Here is a first cut.  Can you let me know if this is inconsistent with your understanding of the topic, and whether more thorough discussion is warranted.  Thanks a lot.  All the best.  Tim.

Certain subject name-forms, resource name-forms and certain types of resource are internally structured.  For instance, the X.500 directory name-form, DNS name-form and RFC 822 name-form are structured subject name-forms, whereas an account number commonly has no discernible structure.  UNIX file-system path-names and URIs are examples of structured resource name-forms.  And an XML document is an example of a structured resource.

Generally, the name of a node (other than a leaf node) in a structured name-form is also a legal instance of the name-form.  So, for instance, the DNS name "medico." is a legal DNS name identifying the set of resources in all the sub-domains.  Similarly, the RFC822 name "medico.com" is a legal RFC822 name identifying the set of mail addresses hosted by the medico.com mail server.  And the XPath/Xpointer value "..." is a legal XPath/Xpointer value identifying a portion of an XML document.

The question arises: how should a name that identifies a set of subjects or resources be interpreted by the PDP, whether it appears in a policy or a context?  Are they intended to represent just the node explicitly identified by the name, or are they intended to represent the entire sub-tree subordinate to that node?

In the case of subjects, there is no real entity that corresponds to such a node.  So, names of this type always refer to the set of subjects subordinate in the name structure to the identified node.  Consequently, subject node names should not be used in equality functions, only in match functions.

On the other hand, in the case of resource names and resources themselves, three options exist.  The name could refer to:

1. the contents of the identified node only,
2. the contents of the identified node and the contents of its immediate child nodes or
3. the contents of the identified node and all its descendant nodes.
All three options are supported.

-----------------------------------------
Tim Moses
Tel: 613.270.3183

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC