OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: The target-namespace resource attribute


All,

In the XACML specification there is a definition for an attribute id 
called urn:oasis:names:tc:xacml:2.0:resource:target-namespace. It says 
in the specification (Section B.6 for 2.0) that "In the case where the 
resource content is supplied in the request context and the resource 
namespace is defined in the resource, the PDP SHALL confirm that the 
namespace defined by this attribute is the same as that defined in the 
resource".

This requirement is not implementable as it stands since the 
<ResourceContent> element may contain any number of elements in any 
namespace, so there is no unique element which to check against. There 
is also no definition on what the PDP shall do if the check fails.

In my opinion there is also no point for the PDP to make this check 
since in general the PDP should just rely on the PEP to provide a 
correct request. If the PEP provides an incorrect request, it's the PEP 
who will be hurt by that itself, so this kind of checking is just 
runtime and implementation overhead.

I propose that for 3.0 we change the text to instead say "In the case 
where resource content is supplied in the request context and the 
resource content namespace(s) are defined in the resource, the PEP MAY 
provide this attribute in the request to indicate the namespace(s) of 
the resource content. In this case there SHALL be one value for this 
attribute for each unique namespace of the top level elements in the 
<Content> element."

I don't know about errata for 2.0.

Best regards,
Erik


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]