OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Revised Minutes of the XACML Focus Group 17 June 2004

Minutes from the 17 June 2004 XACML Focus Group

  Michiharu Kudo
  Anne Anderson
  Tim Moses
  Frank Siebenlist
  Simon Godik

1. IEEE Policy 2004 Workshop

   Anne announced that she had a paper accepted for the IEEE
   Policy 2004 Workshop ("An Introduction to the Web Services
   Policy Language"), attended the workshop, and made a
   presentation.  [A preliminary version of the paper and the
   presentation slides are available at

2. Anne announced W3C Workshop on Constraints and Capabilities
   for Web Services to be hosted at the Oracle Conference Center
   at Oracle Headquarters in Redwood Shores in California.
   Earlier mail had suggested that this workshop would be jointly
   sponsored by W3C and by OASIS.  Tim will check on this.
     Workshop dates: 12-13 October 2004
     Position papers due: 27 August 2004
     Final agenda: 24 September 2004
     Registration closes: 1 October 2004

3. URI matching functions

   Summary of current discussion:
     Tim's original proposal borrowed from JSR115.

     Michiharu commented: 1) why not call it URI-match, instead
     of URL match, 2) Why not have two functions: one for whole
     subtree, and one for one node.  Wildcard in one just means
     any sub-node.  In other means direct child nodes.  Bill P
     commented: could do it all with different wildcard
     conditions.  Rich Salz submitted a comment this morning.

     Tim does not mind having two functions.  Has slight
     reservations on having two functions where a wildcard means
     different things in the two functions.  He is leaning toward
     Bill's suggestion.

     Polar suggested: ** means string of sub-nodes, * means just one
     level of sub-nodes.

     Bill suggested: define general match function in core, with
     optional like "hierarchy".  Part of a regular expression
     matching function.

     Rich Salz submitted a proposal that allows interior matches.

     Tim modified his proposal to include "**" in response to

   New discussion:

   Michiharu described a problem with using general regular
   expressions.  JSR 115 does not support "**".  XPath does have
   a syntax for this: "//".

   Tim: names:
   - url-node-match: wildcard indicates one level of node match
     Could do this using url-node-match:

       file://x/y* - matches //x/y, //x/yaz, //x/yaz.txt, etc.
       file://x/* -  matches //x/y, //x/z, //x/ya, but not //x/y/z
       file://x/y*.html - matches //x/y.html, //x/ya.html, etc.

   - url-subtree-match: wildcard indicates arbitrary number of levels

       file://x/y* - matches //x/y, //x/yaz, //x/yaz/a
         //x/yaz/a/b/c, etc.
       file://x/* -  matches //x/y, //x/z, //x/y/a
       file://x/*/y*.html - matches //x/y.html, //x/a/ya.html

   Anne: Two types of wildcard matching
   - level: could use "//"
   - within a level: could use *

   Tim: Could we use regular expressions for matching the
       <pathname> part?  "*" could occur in the middle of a

   Anne: Michiharu also wants to support relative URL matching;
       i.e. /a/b, without a scheme or authority

   Michiharu: wants to support all formats in RFC2396, including
       absolute path forms.  /..., etc.

   Anne: we don't have a semantically meaningful way to support
       relative paths that include "." or "..", since there is
       nothing defined in our match functions for the "." or ".."
       to be relative to.  Michiharu agrees.

   Michiharu: just wants to express a policy which is usually
       done in a file system where you can grant access on a
       directory and its descendants.

   Anne: let's submit use cases so we can get requirements for
       exactly what we need to support.

   [ACTION ITEM]: Tim will draft a list of requirements from the
       various suggestions.  Others are also welcome to submit
       use cases.

   [ACTION ITEM]: If requirements seem clear, Tim will define a
       single function, making scheme and authority optional, and
       possibly using regular expression matching for the
       <pathname> portion.

The meeting adjourned at 10:53am EDT.

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]