OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Possible Issue: XACML 3.0 WD 9 - 2 questions on Obligation

While reviewing where we have ended up with the handling of Obligation elements in 3.0, I have 2 questions which I am unable to resolve based on my reading of the text (question 2 contains a possible issue of functionality, question 1 might just be clarification either by response to this email or by issue  for more explanatory info in the text):
  1. AttributeId in Obligation in Response: In section 5.41, AttributeAssignmentExpression, it says:
    • "It SHALL contain an AttributeId and an expression which SHALL by evaluated into the corresponding attribute value."
    • Presumably, this means that these two items will be what the PDP puts into the Obligation element that is put into the Response. This interpretation is also in agreement, I believe, with the description of this element in section 5.39:
      • "The expressions SHALL be evaluated by the PDP to constant <AttributeValue> elements, which shall be the attribute assignments in the <Obligation> returned to the PEP. "
    • Presumably the two items above (AttributeValue, AttributeId) are then put by the PDP into the AttributeAssignment element (section 5.36) which is child to the Obligation (section 5.34)
    • Here is my basic question on section 5.36, which may be simply that I do not understand the mechanics of the extension element in the schema: it appears on lines 2543-2546 that AttributeId might be defined here as an attribute of AttributeValue:
      • "

              <xs:extension base="xacml:AttributeValueType">

                 <xs:attribute name="AttributeId" type="xs:anyURI"

                            use="required"/>

              </xs:extension>

        "
      • So, that's the 1st part of the question. Is this the same AttributeId identified in section 5.41, and does it show up in the output Obligation as an attribute of the AttributeAssignment element or of the AttributeValue element? (It appears based on the above that it might be the latter, if not please explain.)
      • If it is the an attribute of AttributeValue, the 2nd part of the question is does this not kind of violate section 5.31 AttributeValue, because this AttributeId would presumably now be part of the xs:anyAttribute.
  2. (2nd question) Should we include the "Category" in the Obligation (probably not because that would apply to all AttributeAssignments) or preferably in the AttributeAssignment (assuming the AttributeId is already there from question 1)?
    • The reason for asking is that it does not seem unreasonable that in many cases the AttributeId assigned to the Obligation/AttributeAssignment will be the same AttributeId used to pull an attribute out of the Request. Granted, it doesn't have to be, but let's assume that is what some people might want to do.
    • Assuming people want to do this, we now run into the same ambiguity that led to the addition of Category to MissingAttributeDetail (section 5.56), namely that if the PEP needs to know how to correlate the returned attributes with the input request, then both AttributeId and Category are needed, in general.
    Thanks,
    Rich

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]