OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: AW: [xacml] Walkthrough of multiple profile (related to public review issue #11)


 

> -----Original Message-----
> From: Erik Rissanen [mailto:erik@axiomatics.com] 
> Sent: Wednesday, October 14, 2009 10:19
> To: Jan Herrmann
> Cc: xacml@lists.oasis-open.org
> Subject: Re: AW: [xacml] Walkthrough of multiple profile 
> (related to public review issue #11)
> 
> Yes, it appears to me too that the discussion is going in circles.
> 
> So can you make a concrete proposal with specific text for 
> how you would like to change the profile, so we can move forward?
>

I do not think we are ready to consider textual amendments to the
profile without further discussion of the issues.

We might be close to putting specific proposals up for vote, so we
should try to collect those proposals.  Unfortunately, they are not
orthogonal, but we can at least group the related ones together and
consider each group.

I think Jan is proposing:

#1: Specify the form of the generated xpath resource-id when creating
single decision requests from a multiple decision request, so that it
can be tested with regexp match.

I have several objections to this proposal, but I think another defect
should be addressed first:

#2: Do not allow context handler to change attribute values supplied in
the original request context.

The notional model of creating single decision requests from a multiple
decision request introduces this requirement in the case of xpath
resource-ids.  It should be remedied, either by changing the original
request attribute id to "resource-selector", or the generated attribute
ids to something like "authorized-node-id", or "decision-resource-id".

Rich has proposed:

#3: Provide an alternate resource identification method, using
namespaced URIs to describe portions of an XML document that is not
available in the decision context.

And my favorite:

#4: Provide an optional attribute on AttributeSelector to set the
context for xpath evaluation at the node on which the decision is
requested.

And there are more.

We should try to move from discussing issues to submitting proposals
that can be voted on.  But the discussion has been very good, and we're
not through yet (or maybe I'm just slower than than the rest).

Regards
--Paul


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]