Re: [xacml] Condition and FunctionId attribute

[Erik Rissanen <erik@axiomatics.com>]

bill parducci wrote:
>
>
>> On Sun, May 18, 2008 at 04:39:29PM +0200, Erik Rissanen wrote:
>>> Regarding #2, we could do that, but in my opinion it is not needed. 
>>> The spec
>>> is quite clear on what the condition element does already. There are 
>>> so many
>>> ways to write a nonsensical XACML policy, that I don't think we should
>>> attempt to cover them. ;-)
>>
> On May 19, 2008, at 8:18 AM, Seth Proctor wrote:
>> I agree completely. As long as it's clear that a Condition can't be
>> evaluated unless it contains an expression that evaluates to a Boolean,
>> I think we're all set. Erik, your two proposals make sense to me..
>
> While I agree in principle, the condition that it be "clear" was not 
> met in this case IMO. This is why I suggested that we consider 
> annotation. If that is not the best approach then perhaps we can 
> consider another means by which to achieve this.

Personally I think it is clear. Section 5.34 in the 2.0 specification 
document states:

The <Condition> contains one <Expression> element, with the restriction 
that the
<Expression> return data-type MUST be 
“http://www.w3.org/2001/XMLSchema#boolean”.
Evaluation of the <Condition> element is described in Section 7.8.


It is clear from this text that it has to be a boolean. One part that is 
perhaps unclear is what should happen if it is not a boolean. My 
interpretation of this text is that the PDP should refuse to even load a 
policy which does not follow this restriction, but I am not sure if 
everybody would agree.

I still think we should not change the spec with respect to this issue.

Regards,
Erik