OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Comments on XACML v3.0 administration policy, Draft 06


I have not yet finished working through the spec, but the first part of
the spec would be easier to read with some of the following editorial
changes.  Perhaps Erik can work some of these into the next draft.

- Under "2 Use cases", clearly label 2.1.1 as "Use case 1: Policy
administration" and 2.1.2 as "Use case 2: Dynamic delegation".  "Use
cases #1 and #2" are referenced in 2.1.3 Discussion, starting at line
24, but were not clearly identified as such.

- 2.1.3 Discussion, line 26: that says that the [issuer] of one policy"

- 2.1.3 Discussion, line 31-32: "It is still necessary to find a chain
of policies back to the PDP in order for Fred's policy to be enforced."
 This is not part of the use case.  It is also a bit confusing to a new
reader because the idea of a "chain back to the PDP" has not been
introduced.

- 3. Solution Overview..., line 3: I think we need a better term than
"issued directly by the PDP".  In the XACML model, a PDP does not issue
policies.  Perhaps "directly trusted by the PDP".

- 3. Solution Overview..., general: There are four cases, and these
could be more clearly identified.  See next comment for proposal.
  Has <PolicyIssuer> AND <PolicyIssuerMatch>
  Has <PolicyIssuer>
  Has <PolicyIssuerMatch>
  Has neither

- 3. Solution Overview..., general: The semantics of the syntactic
elements that make something an access policy or an administration
policy are separated from the semantics of the two types of policies.
Maybe have one section for "administration policy", giving syntax and
semantics, and one section for "access policy", giving syntax and semantics.

- 4.1.1 and 4.1.2, last sentence of each section says: "...Combining
algorithms that can result in "Deny" SHALL NOT be used."  It would be
good to have an explanation/justification for this requirement in the
non-normative description.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]