OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: samlp:XACMLPolicyQuery Target element

In case of any confusion, the Subject of the previous e-mail should have 
been xacml-samlp:XACMLPolicyQuery Target element.  -Anne

Anne Anderson wrote:

> Colleagues,
> 
> Currently, in the SAML 2.0 Profile of XACML 2.0, an XACMLPolicyQuery 
> element is used by a PDP to request policies from an on-line Policy 
> Administration Point.  There policies to be returned are specified using 
> one or more of the following elements:
> ---------------------Taken from XACML 2.0 Profile------------>
> <xacml-context:Request> [Any Number]
> Supplies an XACML Request Context.  All XACML <xacml:Policy> and 
> <xacml:PolicySet> instances applicable to this Request SHALL be 
> returned.  The concept of “applicability” in the XACML context is 
> defined in the XACML 2.0 Specification [XACML].
> 
> <xacml:Target> [Any Number]
> Supplies an XACML <xacml:Target> instance.  All XACML <xacml:Policy> and 
> <xacml:PolicySet> instances applicable to this <Target> SHALL be returned.
> 
> <xacml:PolicySetIdReference> [Any Number]
> Identifies an XACML <xacml:PolicySet>  instance to be returned.
> 
> <xacml:PolicyIdReference> [Any Number]
> Identifies an XACML <xacml:Policy> instance to be returned.
> 
> If the <xacml-samlp:XACMLPolicyQuery> contains no element instances, 
> then the Policy Administration Point SHOULD return all policies that are 
> authorized and appropriate for use by the requester.
> <--------------------End of extract from XACML 2.0 Profile---------
> 
> There is a potential problem with use of the <xacml:Target> element, 
> because we do not specify how to determine *policies* that are 
> "applicable" to a Target.
> 
> Here are some possible options for dealing with this:
> 
> 1. Say something like "Return all Policy and PolicySet instances that 
> are applicable to any Request to which this Target is applicable.  The 
> means for determining such policies is unspecified."
> 
> 2. Say "Return all Policy and PolicySet instances whose top-level Target 
> exactly matches this Target.  The matching algorithm is unspecified."
> 
> 3. Remove this element from the XACMLPolicyQuery.
> 
> I recommend #3.
> 
> Regards,
> Anne

-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]