While reviewing where we have ended up with the handling of Obligation
elements in 3.0, I have 2 questions which I am unable to resolve based
on my reading of the text (question 2 contains a possible issue of
functionality, question 1 might just be clarification either by
response to this email or by issue for more explanatory info in the
text):
- AttributeId in Obligation in Response: In section 5.41,
AttributeAssignmentExpression, it says:
- "It SHALL
contain an AttributeId and an expression
which SHALL by evaluated into the corresponding attribute
value."
- Presumably, this means that these two items will be what the
PDP puts into the Obligation element that is put into the Response.
This interpretation is also in agreement, I believe, with the
description of this element in section 5.39:
- "The
expressions SHALL be evaluated by the PDP to
constant <AttributeValue> elements, which
shall be the attribute assignments in the <Obligation> returned to the PEP.
"
- Presumably the two items above (AttributeValue, AttributeId)
are then put by the PDP into the AttributeAssignment element (section
5.36) which is child to the Obligation (section 5.34)
- Here is my basic question on section 5.36, which may be simply
that I do not understand the mechanics of the extension element in the
schema: it appears on lines 2543-2546 that AttributeId might be defined
here as an attribute of AttributeValue:
- "
<xs:extension
base="xacml:AttributeValueType">
<xs:attribute
name="AttributeId" type="xs:anyURI"
use="required"/>
</xs:extension>
"
- So, that's the 1st part of the question. Is this the same
AttributeId identified in section 5.41, and does it show up in the
output Obligation as an attribute of the AttributeAssignment element or
of the AttributeValue element? (It appears based on the above that it
might be the latter, if not please explain.)
- If it is the an attribute of AttributeValue, the 2nd part of
the question is does this not kind of violate section 5.31
AttributeValue, because this AttributeId would presumably now be part
of the xs:anyAttribute.
- (2nd question) Should we include the "Category" in the Obligation
(probably not because that would apply to all AttributeAssignments) or
preferably in the AttributeAssignment (assuming the AttributeId is
already there from question 1)?
- The reason for asking is that it does not seem unreasonable
that in many cases the AttributeId assigned to the
Obligation/AttributeAssignment will be the same AttributeId used to
pull an attribute out of the Request. Granted, it doesn't have to be,
but let's assume that is what some people might want to do.
- Assuming people want to do this, we now run into the same
ambiguity that led to the addition of Category to
MissingAttributeDetail (section 5.56), namely that if the PEP needs to
know how to correlate the returned attributes with the input request,
then both AttributeId and Category are needed, in general.
Thanks,
Rich
|