[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: 2.0 draft 13 comments
Attached are my comments on draft 13 of the core 2.0 specification. NOTE WELL: I haven't seen comments from anyone to suggest that they've read the recent drafts cover-to-cover looking for issues, so I took the last two days to do this. Since we're in a time crunch, however, I didn't stop to scrutinize every last detail, so I make no guarentee that I caught all the issues. Originally I was looking only at the issues I owned, so there is some emphasis on that text. I don't believe I am suggesting any changes in functionality or meaning (I tried to take all those issues to the list in separate emails). ...Also, a seriously big thank you to Polar for helping me hash out some of my questions at the last minute! In fact I've asked him to look at the any-of-all and all-of-any functions too... The one issue I don't think we have closure on is the mandate that combining algorithms must return NotApplicable if their elements are all NotApplicable. Once we clarify this, then I think all my comments will be in. seth
Meta-comment: I think we should stop using Medico.com in our examples. This is a registered name, and in fact the web site is password protected. I realize we want to provide some tangible examples, but could we instead do something like med.example.com? Page 19: The relationship between Policy and Target should be 1, not 0..1, since a Policy always has a Target (though it could be empty). Also, the relationship between Target and its elements should be 0..* since all elements are now optional. Section 4.2.2: The datatypes are represented as QNames (eg, xs:anyURI) which is not allowed in the spec. These datatypes must all be expanded into their full form. Also, on line 1072, the datatype should be changed to "http://www.w3.org/2001/XMLSchema#string". Section 4.2.4.3 (Rule 3): This example still uses Obligations without clear text about how the AttributeAssignments are handled. The example (lines 1551 to 1569) need to have all < and > characters escaped in the assignments. Also, the text on line 1602 is incorrect. It's not that "the PDP is not required to resolve the attribute assignments" but instead "the PDP is not allowed to resolve the attribute assignments." Section 5.18: Line 2139 should read "The <IdReferenceType> complex type extends the...". Also, the final paragraph should reference section 5.21. Section 5.20: The last sentence ("* represents any sequence of digits of length zero or more") should be removed, as it is inaccurate. Also, this section might be better placed near the start of section 5, so it's in correct descent order, like the rest of the elements described in this section, but I don't think that's too critical. Section 5.21: Typo on line 2173. It should read "policy or policy set." Also, all the explanitory text has been removed, so there's no meaning for this element. After the chunk of XMLSchema, it should read: "A version match is '.'-separated, like a version string. A number represents a direct numeric match. A '*' means that any single number is valid. A '+' means that any number, and any subsequent numbers, are valid. In this manner, the following four patterns would all match the version string '1.2.3': '1.2.3', '1.*.3', '1.2.*', and "1.+'.". Section 5.22: There is a CombinerParameters element both inside and outside the choice. I think it should be in only one place. Also, neither the CombinerParameters element nor the RuleCombinerParameters element inside the choice should have minOccurs="0" since they're already in a choice with minOccurs="0". Section 5.26: Lines 2331 and 2332 should be removed. Section 5.27: Lines 2361 and 2362 should be removed. Section 5.28: Lines 2392 and 2393 should be removed. Section 5.31: Line 2439 should read "...if it does, a corresponding..." Section 5.33: Line 2486 should end in a colon. Section 5.34: Lines 2500 and 2501 should provide a reference to section 7.8 for more details about Condition evaluation. Section 5.36: Typo at the end of line 2531. Section 5.46: The second to last sentence on the first paragraph (starting "Where the PEP should...") should be removed. Instead, just provide the example reference, which shows multiple valid methods. Section 6.15: The text starting at line 3142 and running to line 3147 should be moved to the following section (6.16). In its place should be a reference to section 6.16 to find more details. Section 6.16: The schema for this element needs to change in two small ways. First, the AttributeValue should have a maxOccurs="unbounded" since the PDP might know of several valid values. Second, there needs to be an optional Issuer XML attribute, like in xacml-context:Attribute, since the missing attribute may need to come from a particular issuer. Section 7.3: Line 3306 should have the "xacml:" namespace removed, or all the other elements that follow should have a namespace element added. Section 7.5: The sentence on line 3340 starting "An element of the bag..." should end with ", as explained below." Otherwise its unclear how this works. Also, the end of the sentence starting on line 3355 is incorrect. A function used in a TargetMatch needs to accept base types as both paramaters. So starting on line 3357, the text should read "the extension function returns a boolean result and takes two single base types as inputs." Section 7.6: The sentence on line 3398 starting "The target value SHALL..." should be removed. We now support empty targets, but not absent targets. Also, the sentence starting on line 3406 "The target value SHALL..." is incorrect. It should either reference Subjects, Resources, Actions, and Environments, or should replace "target" with "Subject, Resource, Action, or Environment"...perhaps we want to have both pieces in there? On line 3414, the word "True" should be replaced with "Match". Finally, in table 3, the second row should read "No 'No match' and at least one 'Indeterminate'" instead of "and at least one 'Indeterminate'". Section 7.11: On line 3496, "rule-combining algorithm" should simply read "combining algorithm" and the reference to section 7.10 should be dropped. Section 7.14: On line 3535, the "xacml:" namespace prefix should be removed. Section 7.15.3: The text describing missing-attribute should reference section 6.16. Section 10.2.2: Should we also include the 1.x prefixes here? Or, at least, reference the 1.0 specification? Section 10.2.4: The URN on line 3858 should be replaced with the text "StatusCode element". Section 10.2.6: The action-id and implied-action attributes are not manditory to implement. This was agreed on a while back as an eratta agaist 1.1. Section 10.2.7: The xpath-expression datatype should be removed from the table. Section A.2: The reference to, and definition of the xpath-expression datatype should be removed. Section A.3.8: At the end of the description for time-in-range, add these two sentences: "If no timezone is provided for the first argument, it SHALL use the default timezone at the context handler. If no timezone is provided for the second or third arguments, they SHALL use the timezone from the first argument." This was part of the original proposal, and is key to making this function work correctly. Also, in the following 8 sections (date[Time] comparison functions), the references to XS should be changed to XF. Section A.3.10: All of the functions are shown in a namespace with "x.x" instead of a version number. I assume this should be replced with "1.0". Section A.3.11: Same as A.3.10. Section A.3.12: all-of-any: The second sentence should read "The expression SHALL be 'True' if and only if the supplied predicate is 'True' between each element of the first bag and any element of the second bag." Also, starting on line 4609 with the sentence "The expression SHALL be evaluated", the remaining text in the paragraph should be removed. In its place should be the following: "The expression SHALL be evaluated as if the 'urn:oasis:names:tc:xacml:1.0:function:any-of' function was applied to each value of the first bag and the whole second bag using the supplied xacml:Function, and the results were combined using 'urn:oasis:names:tc:xacml:1.0:function:and'." Under the example, the text should read "This expression is 'True' because each of the elements of the first bag is greater than at least one of the elements of the second bag." any-of-all: The second sentence should read "The expression SHALL be 'True' if and only if the supplied predicate is 'True' between each element of the second bag and any element of the first bag." Also, starting on line 4651 with the sentence "The expression SHALL be evaluated", the remaining text in the paragraph should be removed. In its place should be the following: "The expression SHALL be evaluated as if the 'urn:oasis:names:tc:xacml:1.0:function:any-of' function was applied to each value of the second bag and the whole first bag using the supplied xacml:Function, and the results were combined using 'urn:oasis:names:tc:xacml:1.0:function:and'." Under the example, the text should read "This expression is 'True' because for all of the values in the second bag, there is a value in the first bag that is greater." Section B.8: Line 4976 should be a fixed-width font. Section B.9: Lines 4983-4984 should have a reference to section 6.16.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]