[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: The target-namespace resource attribute
All, In the XACML specification there is a definition for an attribute id called urn:oasis:names:tc:xacml:2.0:resource:target-namespace. It says in the specification (Section B.6 for 2.0) that "In the case where the resource content is supplied in the request context and the resource namespace is defined in the resource, the PDP SHALL confirm that the namespace defined by this attribute is the same as that defined in the resource". This requirement is not implementable as it stands since the <ResourceContent> element may contain any number of elements in any namespace, so there is no unique element which to check against. There is also no definition on what the PDP shall do if the check fails. In my opinion there is also no point for the PDP to make this check since in general the PDP should just rely on the PEP to provide a correct request. If the PEP provides an incorrect request, it's the PEP who will be hurt by that itself, so this kind of checking is just runtime and implementation overhead. I propose that for 3.0 we change the text to instead say "In the case where resource content is supplied in the request context and the resource content namespace(s) are defined in the resource, the PEP MAY provide this attribute in the request to indicate the namespace(s) of the resource content. In this case there SHALL be one value for this attribute for each unique namespace of the top level elements in the <Content> element." I don't know about errata for 2.0. Best regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]