attribute data types: schema or identifier?

[Anne Anderson <Anne.Anderson@Sun.com>]

Hal,

I agreed to send the SSTC my explanation for why using a schema
to define the data type of an attribute is not sufficient.  But I
don't think that was ever an issue for the SSTC - it certainly is
not captured in the notes I made at the SAML F2F.

For anyone who is interested, some XML-based systems do not
include a DataType for what corresponds to an AttributeValue in
XACML.  Instead, the attribute value effectively is a "string"
that is parsed as an XML schema instance.  The schema-specified
syntax is the specification of the data type of the attribute.

There are good reasons not to use this approach in XACML or any
system where attribute values must be manipulated, rather than
simply passed around.  An XACML PDP must know not only the syntax
of an attribute value, but also the semantics for how to handle
it in functions (compare it for greater or less than, add it to
another value, etc.).

If attribute values were defined as schema instances, then not
only would the PDP have to locate and process the schema
associated with each attribute, but the PDP would also have to be
augmented with code that understands the semantics of the
schema-defined information.  This means no "standard" language
processor would be able to deal with attribute values in general.
Some set of attribute value schemas and semantics could be
defined as part of the standard, but the value of the
"extensibility" gained would be questionable.  The languages
would be easily "extensible" in syntax, but not so easily
extensible in semantics.  It also means that companies could
define proprietary schemas for AttributeValues, hindering
interoperability.

XACML, by contrast, has chosen to define a rich set of DataTypes
that are explicitly supported by all conforming PDP's.  Most
useful attributes can be defined in terms of these DataTypes and
thus can supported by any standard XACML PDP.  No new code
modules are required except where a new DataType is defined.

XACML does support using an XML schema as the "DataType" for an
attribute: use the schema namespace and element name as the URI
of the DataType.  This allows XACML to support Attributes that
are defined using schemas as well as any other system.  But the
only operation on such DataTypes that could be standardized and
supported in all PDPs is a byte-string comparison for equality
between two instances of the AttributeValue (after
canonicalization).  It is probably just as easy to define the
DataType for such a value as "string" and require operationally
that the AttributeValue be the output of canonicalizing the
schema instance.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692