New delegation draft

[Erik Rissanen <mirty@sics.se>]

All,

I have uploaded draft 10 of the delegation profile. The most important
change is that I have added reduction of deny by making the effect part
of the situation.

I have not made the target schema open since Daniel is going to do that.

I was also thinking about adding a new section for the upcoming SAML
profile, but since there was no agreement on what it should contain
during the last meeting, I am going to wait. It would be nice if we
could agree on this soon: Should additional policies and attribute
assertions be included in the request context or the SAML profile?
During the F2F the agreement of the participants was to add them to the
SAML profile (see the minutes of day 3, issue #5), but Frank recently
suggested the request context and there was no agreement on this during
the last meeting. As soon as this is decided, I will change the
documents appropriately.

I did not make the choice between historic/current issuer attribute
models part of the PolicySet schema since it is supposed to be a PDP
global setting. It is mentioned in the normative section though.

A small note: in this new draft we support reduction of deny at the
access level but not at the administrative level. At the administrative
level we do not support issuing of policies that evaluate to deny.
However, a trusted policy can still evaluate to deny at any level. I
don't think that is a problem and might even be a desirable feature, but
give it a thought. There is a small inconsistency in that we allow
negative administrative policies by the trusted issuer but not by
"normal" issuers.

Regards,
Erik