[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] change request: xacml context attributes and data types
I agree with removing the dataType attribute from the xacml-context:Attribute. However, the implications are this: If you have an Attribute of "subject-id" and its value is: <AttributeValue>CN=Simon Godik, O=OverXeer, OU=Research</AttributeValue> What does the designator: <SubjectMatch MatchId="function:rfc822Name-equal"> <SubjectAttributeDesignator AttributeId="subject-id"/> <AttributeValue>simon@godik.com</AttributeValue> </SubjectMatch> evaluate to? Does it evaluate to "indeterminate" because the formal type of rfc822Name-equal is xacml:rfc822Name -> xacml:rfc822Name -> Bool and the attribute value is an invalid representation of an rfc822Name. Or does it evaluate to "false"? The question in the context of its application, the <SubjectAttributeDesignator Attribute="subject-id"> shall return a bag of "rfc822Name", which means that every "subject-id" attribute must have a parseable rfc822Name representation as a value. So, does the designator return "indeterminate" because not *all* values under "subject-id" are valid string representations of rfc822Name? Or does it return a bag of rfc822Names of *only* the values under "subject-id" that do have valid string representations of rfc822Names? In the example above for the latter case, this designator would return an empty bag. I don't think I'll be able to comment much further, I have to leave real soon. It's food for thought. Cheers, -Polar On Fri, 27 Sep 2002, Simon Godik wrote: > Currently <xacml-context:Attribute> element allows DataType attribute. > > Rationale for keeping DataType attribute in the <xacml-context:Attribute> element was that > it can sometimes be helpful, such as specifiying subject-id format, like > subject-id="cn=simon", data-type="x500-name" > > But this information is redundant, because subject-id attribute will be passed to the specific > function that expects arguments of certain type. For example, if subject-id is passed to > the x500Name-equal function it expects it's arguments to be in x500 name format. > > So data type does not add value here. > > Another problem is that we can not access DataType attribute with AttributeDesignator. > > Proposal: remove DataType attribute from the <xacml-context:Attribute>. > > Simon > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC