OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: 2.0 compatibility


All,

Previously we have said that an XACML 3.0 PDP MUST be able to work with 
2.0 policies as well. I propose that we instead make this optional.

I don't see the need to force 2.0 on all implementations. Implementers 
should be free to implement 3.0 only if they wish.

I am also worried about the technical issues with xpath based policies 
when mixing a 2.0 policy and a 3.0 request context. It is difficult 
(impossible perhaps?) in general to do it an automated fashion since any 
xpaths in the 2.0 policy need to be rewritten to the new request context 
schema. In general it is very difficult to locate and understand all 
these xpaths since they might for instance be dynamically generated or 
use complex forms.

Alternatively one might think that translating the 3.0 request context 
into a 2.0 request context whenever the xpath is derived from a 2.0 
policy could be a solution, but since the 3.0 request context is 
superset of the 2.0 one, this not easy either. It might work in a sense 
though, since if the 3.0 request context does not translate back to a 
2.0 request context, the 2.0 policy might be nonsensical anyway, but it 
seems very complex, and not something we should mandate in all cases.

We should still describe the 2.0 -> 3.0 translation in the spec, for 
those who wish to do it and who have simple policies which are easy to 
translate.

Regards,
Erik



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]