RE: [xacml] Questions on Attributes in Specification

[Tim Moses <tim.moses@entrust.com>]

Rebekah - Please see below for proposed resolutions.  All the best.  Tim.

-----Original Message-----
From: Rebekah Lepro [mailto:rlepro@arc.nasa.gov] 
Sent: Wednesday, January 07, 2004 5:27 PM
To: xacml
Subject: [xacml] Questions on Attributes in Specification


Happy Belated Holidays all...

I'm working through my notes on "current usage of attributes within the
XACML" specification to propose wording changes as per my work item.  I have
several questions that I'd like to pose to the committee to ensure my
understanding of specification details before I complete my task.    I've
outlined these questions (and relevant line numbers below).

Thank you for the insight!

Rebekah

----

1)  ResourceAttributeDesignator (lines 2318 - 2327),
ActionAttributeDesignator( 2343 - 2352) and EnvironmentAttributeDesignator
(lines 2369 - 2378) all refer to "a bag containing all the (resource,
action, environment) attribute values that are matched by the named
(resource, action, environment) attribute.

a)  I presume this text corresponds to the description of the returned bag
for an AttributeSelector as described in line 2448 - 2454?

b)  In the section for SubjectAttributeDesignator (lines 2268 - 2310), there
is no mention of a bag returned containing the values even for a categorized
subject.  Does this imply a different processing requirement for
SubjectAttributeDesignators?

<TM>
The text describing the various attribute designators (subject, resource,
etc.) have been aligned in WS 06.  The text for ResourceAttributeDesignator
has been taken as the model, with adjustments to take subject categories
into account.
</TM>

2)  Can an element be defined directly with the type AttributeDesignatorType
or was the intention that this complex type definition serve only as the
root of a type hierarchy?

<TM>
Resource, action and environment attribute designators are of type
AttributeDesignatorType.  SubjectAttributeDesignatorType extends
AttributeDesignatorType by the addition of the subject-category attribute.
</TM>

3)  Lines 2445 - 2454 define processing rules that relate to the
MustBePresent attribute of an AttributeSelector, including the required
status code.  No such constraint on the required status code is listed in
lines 2264 - 2266 for AttributeDesignators.  Should there mandatory status
codes specified?

<TM>
It is proposed to move discussion of status-codes to a common section and
reference that section from both the AttributeSelector and
AttributeDesignator sections.
</TM>

4)  Line 2707 indicates that the data type of the AttributeValue MAY be
specified by using the DataType attribute of the parent Attribute element.
However, line 2683 indicates that DataType xml attribute of an Attribute
element is mandatory.  Is this a contradiction?

<TM>
It is proposed to change the MAY to a MUST.  Then the data-type of an
attribute MUST be identified in the <xacml-context:Attribute> element, not
in its child <xacml-context:AttributeValue> element.
</TM>

5)  AttributeValueType.  Lines 2456 - 2469 indicate that a DataType URI is a
required xml attribute required for the complex type in the xacml namespace.
Lines 2696 - 2708 indicate do not define such a required xml attribute for
the AttributeValueType in the xacml-context namespace.  Lines 3448 - 2469 of
the Appendix state that an XACML <AttributeValue> element MAY contain an
instance of a structured XML data type. Lines 3524 - 3525 says "The
<AttributeValue> element SHALL represent an explict value of a primitive
type.  The example shows the use of an Attribute value element as the child
of the <Apply> element.   Lines 3534 - 3535 states "The
<AttributeDesignator> and <AttributeSelector> elements SHALL evaluate to a
bag of a specific primitive type. Do these different characterizations
contradict?  

<TM>

WARNING for the casual reader - there is an <AttributeValue> element defined
in both the xacml and the xacml-context namespaces.

<xacml:AttributeValue> elements do not occur as children of
<xacml:Attribute> elements (no such element is defined).  Therefore, the
type of the attribute has to be associated with the value.  Moreover,
attributes used in this way are single-valued.
<xacml-contect:AttributeValue> elements always occur as children of an
<xacml-context:Attribute> element.  These attributes can be multi-valued.
Therefore, their type can be associated with the <xacml-context:Attribute>
element.  Elements of either type <xacml:AttributeValue> or
<xacml-context:AttributeValue> may be structured.  The restriction to
primitive types will be corrected in WD06.
</TM>

6)  Is it reasonable to state that a named attribute appears in the context
of Policy syntax but not Context syntax?

<TM>
I'll look for a suitable place to make this point.
</TM>

7)  Is the string equality requirement listed on line 2999 the string
equality function defined at line 3643?

<TM>
Yes.  I'll include text that makes this explicit.
</TM>

To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.p
hp.