[xacml] Comments on XACML Specification Draft v18d. Forwarded messagefrom yassir elley.

[Anne Anderson <Anne.Anderson@Sun.com>]

These are comments from another reviewer in my work group. -Anne
------- start of forwarded message -------
From: yassir elley <yassir.elley@Sun.COM>

I read through Draft v18d of the XACML spec and had a few editorial
comments. Perhaps these can be appropriately forwarded by Anne somewhere.
I have divided my editorial comments into general comments and additional
comments. The general comments are mostly about Example Two. The
additional comments are just typos.

Regards,
Yassir.

General Comments
================
1) Example two specifies four separate rules, as well as a request
context "to which the example rules are intended to be applicable."
Unfortunately, none of the example rules are applicable to the 
request context that is specified. This should probably be fixed.

2) As part of the Target, each of the rules includes a <ResourceMatch> of
<ResourceAttributeDesignator AttributeId="urn:...:target-namespace" ...>
Since "target-namespace" is not included as a Resource Attribute in the
request context, none of the rules will ever match. Perhaps
"target-namespace" should be included as a Resource Attribute in the
request context.

3) Rules 1, 2, and 3 make use of an AttributeSelector as part of a 
Condition. The AttribueSelector has an XML attribute named 
RequestContextPath (RCP). The syntax of the RCP is inconsistent among
the rules and should be made consistent. For example:
Rule 1: RCP="//ctx:ResourceContent/md:record/"
Rule 2: RCP="/ctx:Request//ctx:ResourceContent/md:record/"
Rule 3: RCP="/ctx:Request/ctx:Resource/ctx:ResourceContent/md:record/"

4) In Section 5.6 (line 1951), it is somewhat strange that the
explanatory text for <Subject> reads "A disjunctive sequence of
<Subject> elements." This seems more appropriate for the <Subjects>
element. This same pattern occurs with the explanatory text for
<Resource> (line 2015) and <Action> (line 2078)

Additional Comments (appended by relevant line number)
======================================================
1041: insert "//" (i.e. "http://www.medico.com";)
1049: insert "//" (i.e. "http://www.medico.com";)
1069: replace "[14]-[72]" with "[15]-[22]"
1085: Rule 1 states "A person may read any record for which he or 
      she is the designated patient." In Example 4.2.4.1, however,
      the policy-number in the medical record is compared with
      the policy-number attribute of the subject. This is slightly
      confusing.
1107: replace "scheams" with "schemas"
1131: replace "xpath-match" with "xpath-node-match"
1184: replace "authorization decision request such, that the value" with
              "authorization decision request, such that the value"
1201: insert "the" before "explicit value"
1296: replace "xpath-match" with "xpath-node-match"
1346: "md:parentGuardianId" doesn't exist in example medical record.
      It should be added.
1541: "md:physicianId" doesn't exist in example medical record. There is
      however a "registrationId". These should be made consistent.
1600: replace "exampes:attributes:group" with "example:attribute:role"
1604: replace "read" with "write"
1675: replace "xpath-match" with "xpath-node-match"
1726: replace ""read"" with ""read" or "write""
1933: remove duplicate "for the"
2225: insert ",action," after "resource"
2280: <SubjectAttributeDesignator> is missing
2333: replace "Shall" with "SHALL"
2384: replace "contains following attributes" with "contains the 	
      following attribute"
2434: insert "in" after "resulting"
2599: replace "Distingwished" with "Distinguished"
2704: replace "dn" with "DN"
3286: resource:resource-id is marked as Optional. Earlier, the spec
      specifies that "the <Resource> element MUST contain one 
      and only one <Attribute> with AttributeId "urn:...:resource-id".
      This should probably be marked Mandatory, not Optional.
3920: replace "second" with "third"
4696: replace "CombinginAlogrithm" with "CombiningAlgorithm"

------- end of forwarded message -------

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692