OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Possible issue or editorial cleanup item - missing equalitypredicates, etc.

Hi Erik,

That's fine. It would be useful to dig up the rationale, and possibly put it in the doc somewhere, such as section A.2 where these items are discussed in some detail.

Also, my last question was simply if there is any relation between the dns-name of the Subject attribute and the dnsName of the datatype. Same for ip-address. i.e.would it be reasonable to expect that these datatypes would apply to AttributeValues associated with those subject attribute ids? I suppose the answer is obvious - that there could be but doesn't have to be. But I was also wondering what motivated the addition of these datatypes. Possibly it was related to the remark I just noticed on line 5098-99 which preceded the subject attributes:
The following identifiers indicate the location where authentication credentials were activated.  They are intended to support the corresponding entities from the SAML authentication statement [SAML].
i.e. there was some SAML activity with these, which appears to have raised their visibility to the point where they were late additions to the xacml datatypes.


Erik Rissanen wrote:
49D1BF06.9070303@axiomatics.com" type="cite">Hi Rich,

I think we discussed this some time ago. It's intentional since there are pattern matching functions instead. And, yes, I also pointed out that this means that the set functions are not defined for those data types because of this, but I think this was not seen as a problem. I don't recall the details of the discussion though, so I might be mistaken.

I don't understand your last question.

Best regards,

Rich.Levinson wrote:
There are no equality predicates in section A.3.1 for the following datatypes:

    * urn:oasis:names:tc:xacml:2.0:data-type:ipAddress
    * urn:oasis:names:tc:xacml:2.0:data-type:dnsName
    * urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression

I don't know if this was intentional, but suspect it was just an oversight as these 3 data types were added after XACML 1.1.

Also, it appears some or all of them may be missing from some functions:

    * intersection
    * at-least-one-member-of
    * union
    * subset
    * set-equal

Also, I am curious what, if any, association might or might not be intended between the first two above and the Subject identifiers:

    * urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address
    * urn:oasis:names:tc:xacml:2.0:data-type:dnsName


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]