More errata

[Anne Anderson <Anne.Anderson@Sun.com>]

Simon, these comments came in later than the ones you have in
your current Errata document.  Could you add them to the Errata
document for the next version?  These errata are not fixed in the
Version 1.0 Standard.  I've reworded all the errata to fit the
format of the Errata document, and I've added correct section and
line numbers from the Version 1.0 Standard.

<Status> element MAY list: include action and environment
Reported by: Satoshi Hada
Message: http://lists.oasis-open.org/archives/xacml-comment/200302/msg00014.html
Description: Section "7.10 Authorization decision", line 3003, says
[when PDP returns missing-attribute status code] "the <Status>
element MAY list the names and data-types of any attributes of
the subjects and the resource that are needed by the PDP to
refine its decision."  This should also apply to action and
environment attributes.
Options: Change line 3003 to "...attributes of the subjects,
resource, action, or environment..."
Disposition:

<Status> element MUST NOT list: include action and environment
Reported by: Satoshi Hada
Message: http://lists.oasis-open.org/archives/xacml-comment/200302/msg00014.html
Description: Section "7.10 Authorization decision", line 3010,
says [when PDP returns missing-attribute status code] "it MUST
NOT list the names and data-types of any attribute of the subject
or the resource for which values were supplied in the original
request."  This should also apply to action and environment
attributes.
Options: Change to line 3010 "...any attribute of the subjects,
resource, action, or environment for which values were
supplied..."
Disposition:

<AttributeValue> occurrence inconsistency in spec
Reported by: Satoshi Hada
Message: http://lists.oasis-open.org/archives/xacml-comment/200302/msg00015.html
Description: Section "6.7 Element <Attribute>", line 2666, says
<AttributeValue> is [Optional].  It is actually mandatory,
although the sequence in the contents is minOccurrs="0" and thus
[AnyNumber].
Options: Change line 2666 "[Optional]" to "[Mandatory]".  Change
line 2667 from "At most one attribute value." to "Exactly one
attribute value.  The mandatory attribute value may have contents that
are empty, occur once, or occur multiple times.
Disposition:

Missing <AttributeValue> contents with AttributeDesignator MustBePresent unclear
Reported by: Satoshi Hada
Message: http://lists.oasis-open.org/archives/xacml-comment/200302/msg00015.html
Description: The schema says that Request <AttributeValue>
sequence contents are minOccurs="0".  If an AttributeDescriptor
containing MustBePresent="true" matches a Request <Attribute> for
which the <AttributeValue> contains no contents, is the
"MustBePresent" condition satisfied or not?
Options: In Section "5.27 Complex type AttributeDesignatorType",
under the description of the "MustBePresent" attribute, line
2260, add the follow sentence after 'SHALL result in
"Indeterminate".': If the named attribute is present, but has an
empty <AttributeValue> element, and if MustBePresent is "True",
then this element is considered present and this element SHALL
result in an empty bag and SHALL NOT result in "Indeterminate".
Disposition: 

Missing <AttributeValue> contents with AttributeSelector MustBePresent unclear
Reported by: Satoshi Hada
Message: http://lists.oasis-open.org/archives/xacml-comment/200302/msg00016.html
Description: The semantics of the "MustBePresent" attribute in an
<AttributeSelector> are not specified in as much detail as they
are for an <AttributeDesignator>.
Options: In Section "5.32 Element <AttributeSelector>", in the
description of the "MustBePresent" attribute, append to line
2430: If the XPath expression selects no node, and the
MustBePresent attribute is TRUE, then the result is
"Indeterminate" and the status code SHALL be
"urn:oasis:names:tc:xacml:1.0:status:missing-attribute".  If the
XPath expression selects no node, and the MustBePresent attribute
is missing or FALSE, then the result is an empty bag.  If the
XPath expression selects at least one node and the selected
node(s) could be successfully converted to a bag of values of the
specified data-type, then the result is the bag, regardless of
the value of the MustBePresent attribute.  If the XPath
expression selects at least one node, but there is an error in
converting one or more of the nodes to values of the specified
data-type, then the result is "Indeterminate" and the status code
SHALL be "urn:oasis:names:tc:xacml:1.0:status:processing-error"
[should it be missing-attribute"? instead],
regardless of the value of the MustBePresent attribute.
Disposition: 

Is <XPathVersion> element required when using an XPath-based function
Reported by: Satoshi Hada
Message: http://lists.oasis-open.org/archives/xacml-comment/200302/msg00017.html
Description: Section "5.4 Element <XPathVersion>" says that the
<XPathVersion element is required if <AttributeSelector> elements
are used, but it does not say whether it is required if
XPath-based functions are used.
Options: In Section "5.4 Element <XPathVersion>", append the
following to line 1845: The <XPathVersion> element is REQUIRED if
the XACML enclosing policy set or policy contains elements using
any XPath-based functions (see Appendix A 14.13 XPath-based
functions).

Context node for XPath-based functions not specified
Reported by Satoshi Hada
Message: http://lists.oasis-open.org/archives/xacml-comment/200302/msg00017.html
Description: Section "A 14.13 XPath-based functions" does not
specify what the context node for the XPath expressions is.
Options: In Section "A 14.13 XPath-based functions", append the
following sentence after "...in the isolation of the particular
function specified.": The context node for the XPath expression
in the XPath-based functions is the <xacml-context:Request>
element.
Disposition:

Incorrect access-subject urn in 5.28 <SubjectAttributeDesignator>
Reported by Satoshi Hada
Message: http://lists.oasis-open.org/archives/xacml-comment/200302/msg00018.html
Description: Section "5.28 Element <SubjectAttributeDesignator>"
lines 2294 and 2303 use an incorrect URN for "access-subject".
The URN used here omits the "names" component of the standard
xacml:1.0 URN.
Options: In Section "5.28 Element <SubjectAttributeDesignator>",
on both lines 2294 and 2303, replace
"urn:oasis:tc:xacml:1.0:subject-category:access-subject" with "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject".
Disposition:

Missing semantics for <AttributeAssignment> child elements
Reported by Satoshi Hada
Message: http://lists.oasis-open.org/archives/xacml-comment/200302/msg00020.html
Message: http://lists.oasis-open.org/archives/xacml-comment/200302/msg00021.html
Message: http://lists.oasis-open.org/archives/xacml-comment/200302/msg00022.html
Description: The semantics for the child elements of an
<AttributeSelector> are not specified, although three different
kinds of child elements are used in the example Rule 3 in Section
4.2.4.3.
Options: Specify the semantics in Section "5.36 Element
<AttributeAssignment>" [exact wording TBD]
Disposition:

Unclear how to convert nodes from XPath expression into bag of attributes
Reported by Satoshi Hada
Message: http://lists.oasis-open.org/archives/xacml-comment/200302/msg00023.html
Description: Section "5.32 Element <AttributeSelector>" says that
the constructor functions defined in [XF] are to be used in
converting the nodes selected by an XPath expression into a bag
of attributes.  But the constructor functions are defined only
for LITERAL input.  How is each slected node converted into a
LITERAL?  For example, how is an element node converted into a LITERAL?
Options: [wording TBD]
Disposition:

Anne Anderson
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692