Re: [xacml] Context attribute clarification

[seth proctor <Seth.Proctor@Sun.COM>]

> I think you are saying that, as far as the PDP is concerned, anything
> between <AttributeValue> tags is a single attribute (including any xml
> attribute of the <AttributeValue> element, itself).  Whether the attribute
> is primitive or structured, it is the associated function that should
> validate the contents.  In the structured case, it will need some private
> way of locating the schema, given the DataType URI.

Exactly. Thus, in the example you provided, the two AttributeValue 
elements resulted in two values, even if they contained complex content. 
I think that the spec is pretty clear on this point, but maybe we need 
to add some clarifying language?

> An attribute value that is an unencapsulated sequence of elements is valid
> according to this definition.  But, if we expect the function to
> schema-validate, doesn't this introduce a problem, because such a sequence
> is anonymous?  

I don't think this is a problem. If I define a new datatype that 
contains mixed content, then I'm free to define any number of ways to 
validate that content (through schemas or other mechanisms)...also, 
there is no anonymity, since the DataType XML attribute identifies the 
type. It's never going to be possible for a standard PDP to do 
validation unless it has custom functionality installed to support the 
datatype and validation, so I don't see any reason to define a standard 
mechanism that may or may not be useful only for custom functionality. 
Or am I missing the point here? (my brain is a little frazzled right now)

> My understanding is that the anyAttribute declaration does not REQUIRE the
> <AttributeValue> element to have an atribute, but it MAY have one or more.

Absolutely correct.


seth