OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: 2.0 draft 13 comments



Attached are my comments on draft 13 of the core 2.0 specification.

NOTE WELL: I haven't seen comments from anyone to suggest that they've
read the recent drafts cover-to-cover looking for issues, so I took the
last two days to do this. Since we're in a time crunch, however, I
didn't stop to scrutinize every last detail, so I make no guarentee that
I caught all the issues. Originally I was looking only at the issues I
owned, so there is some emphasis on that text. I don't believe I am
suggesting any changes in functionality or meaning (I tried to take all
those issues to the list in separate emails).

...Also, a seriously big thank you to Polar for helping me hash out some
of my questions at the last minute! In fact I've asked him to look at
the any-of-all and all-of-any functions too...

The one issue I don't think we have closure on is the mandate that
combining algorithms must return NotApplicable if their elements are all
NotApplicable. Once we clarify this, then I think all my comments will
be in.


seth

Meta-comment: I think we should stop using Medico.com in our
examples. This is a registered name, and in fact the web site is
password protected. I realize we want to provide some tangible examples,
but could we instead do something like med.example.com?

Page 19: The relationship between Policy and Target should be 1, not
0..1, since a Policy always has a Target (though it could be
empty). Also, the relationship between Target and its elements should be
0..* since all elements are now optional.

Section 4.2.2: The datatypes are represented as QNames (eg, xs:anyURI)
which is not allowed in the spec. These datatypes must all be expanded
into their full form. Also, on line 1072, the datatype should be changed
to "http://www.w3.org/2001/XMLSchema#string";.

Section 4.2.4.3 (Rule 3): This example still uses Obligations without
clear text about how the AttributeAssignments are handled. The example
(lines 1551 to 1569) need to have all < and > characters escaped in the
assignments. Also, the text on line 1602 is incorrect. It's not that
"the PDP is not required to resolve the attribute assignments" but
instead "the PDP is not allowed to resolve the attribute assignments."

Section 5.18: Line 2139 should read "The <IdReferenceType> complex type
extends the...". Also, the final paragraph should reference section
5.21.

Section 5.20: The last sentence ("* represents any sequence of digits of
length zero or more") should be removed, as it is inaccurate. Also, this
section might be better placed near the start of section 5, so it's in
correct descent order, like the rest of the elements described in this
section, but I don't think that's too critical.

Section 5.21: Typo on line 2173. It should read "policy or policy set."
Also, all the explanitory text has been removed, so there's no meaning
for this element. After the chunk of XMLSchema, it should read: "A
version match is '.'-separated, like a version string. A number
represents a direct numeric match. A '*' means that any single number is
valid. A '+' means that any number, and any subsequent numbers, are
valid. In this manner, the following four patterns would all match
the version string '1.2.3': '1.2.3', '1.*.3', '1.2.*', and "1.+'.".

Section 5.22: There is a CombinerParameters element both inside and
outside the choice. I think it should be in only one place. Also,
neither the CombinerParameters element nor the RuleCombinerParameters
element inside the choice should have minOccurs="0" since they're
already in a choice with minOccurs="0".

Section 5.26: Lines 2331 and 2332 should be removed.

Section 5.27: Lines 2361 and 2362 should be removed.

Section 5.28: Lines 2392 and 2393 should be removed.

Section 5.31: Line 2439 should read "...if it does, a corresponding..."

Section 5.33: Line 2486 should end in a colon.

Section 5.34: Lines 2500 and 2501 should provide a reference to section
7.8 for more details about Condition evaluation.

Section 5.36: Typo at the end of line 2531.

Section 5.46: The second to last sentence on the first paragraph
(starting "Where the PEP should...") should be removed. Instead, just
provide the example reference, which shows multiple valid methods.

Section 6.15: The text starting at line 3142 and running to line 3147
should be moved to the following section (6.16). In its place should be
a reference to section 6.16 to find more details.

Section 6.16: The schema for this element needs to change in two small
ways. First, the AttributeValue should have a maxOccurs="unbounded"
since the PDP might know of several valid values. Second, there needs to
be an optional Issuer XML attribute, like in xacml-context:Attribute,
since the missing attribute may need to come from a particular issuer.

Section 7.3: Line 3306 should have the "xacml:" namespace removed, or
all the other elements that follow should have a namespace element
added.

Section 7.5: The sentence on line 3340 starting "An element of the
bag..." should end with ", as explained below." Otherwise its unclear
how this works. Also, the end of the sentence starting on line 3355 is
incorrect. A function used in a TargetMatch needs to accept base types
as both paramaters. So starting on line 3357, the text should read "the
extension function returns a boolean result and takes two single base
types as inputs."

Section 7.6: The sentence on line 3398 starting "The target value
SHALL..." should be removed. We now support empty targets, but not
absent targets. Also, the sentence starting on line 3406 "The target
value SHALL..." is incorrect. It should either reference Subjects,
Resources, Actions, and Environments, or should replace "target" with
"Subject, Resource, Action, or Environment"...perhaps we want to have
both pieces in there? On line 3414, the word "True" should be
replaced with "Match". Finally, in table 3, the second row should read
"No 'No match' and at least one 'Indeterminate'" instead of "and at
least one 'Indeterminate'".

Section 7.11: On line 3496, "rule-combining algorithm" should simply
read "combining algorithm" and the reference to section 7.10 should be
dropped.

Section 7.14: On line 3535, the "xacml:" namespace prefix should be
removed.

Section 7.15.3: The text describing missing-attribute should reference
section 6.16.

Section 10.2.2: Should we also include the 1.x prefixes here? Or, at
least, reference the 1.0 specification?

Section 10.2.4: The URN on line 3858 should be replaced with the text
"StatusCode element".

Section 10.2.6: The action-id and implied-action attributes are not
manditory to implement. This was agreed on a while back as an eratta
agaist 1.1.

Section 10.2.7: The xpath-expression datatype should be removed from
the table.

Section A.2: The reference to, and definition of the xpath-expression
datatype should be removed.

Section A.3.8: At the end of the description for time-in-range, add
these two sentences: "If no timezone is provided for the first argument,
it SHALL use the default timezone at the context handler. If no timezone
is provided for the second or third arguments, they SHALL use the
timezone from the first argument." This was part of the original
proposal, and is key to making this function work correctly. Also, in
the following 8 sections (date[Time] comparison functions), the
references to XS should be changed to XF.

Section A.3.10: All of the functions are shown in a namespace with "x.x"
instead of a version number. I assume this should be replced with "1.0".

Section A.3.11: Same as A.3.10.

Section A.3.12:

  all-of-any: The second sentence should read "The expression SHALL be
  'True' if and only if the supplied predicate is 'True' between each
  element of the first bag and any element of the second bag." Also,
  starting on line 4609 with the sentence "The expression SHALL be
  evaluated", the remaining text in the paragraph should be removed. In
  its place should be the following: "The expression SHALL be evaluated
  as if the 'urn:oasis:names:tc:xacml:1.0:function:any-of' function was
  applied to each value of the first bag and the whole second bag using
  the supplied xacml:Function, and the results were combined using
  'urn:oasis:names:tc:xacml:1.0:function:and'." Under the example, the
  text should read "This expression is 'True' because each of the
  elements of the first bag is greater than at least one of the
  elements of the second bag."

  any-of-all: The second sentence should read "The expression SHALL be
  'True' if and only if the supplied predicate is 'True' between each
  element of the second bag and any element of the first bag." Also,
  starting on line 4651 with the sentence "The expression SHALL be
  evaluated", the remaining text in the paragraph should be removed. In
  its place should be the following: "The expression SHALL be evaluated
  as if the 'urn:oasis:names:tc:xacml:1.0:function:any-of' function was
  applied to each value of the second bag and the whole first bag using
  the supplied xacml:Function, and the results were combined using
  'urn:oasis:names:tc:xacml:1.0:function:and'." Under the example, the
  text should read "This expression is 'True' because for all of the
  values in the second bag, there is a value in the first bag that is
  greater."

Section B.8: Line 4976 should be a fixed-width font.

Section B.9: Lines 4983-4984 should have a reference to section 6.16.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]