new issue: PolicyIdentifierList scope and order

["Tyson, Paul H" <PTyson@bellhelicopter.textron.com>]

Hi all,

When I first saw PolicyIdentifierList in a v3 working draft, I assumed
it included PolicySets as well as Policies.  But now that I read cd-1
section 5.49 closely, I see it only mentions policies.

My use case requires an ordered list consisting of 0 or more PolicySet
ids and 1 Policy id that were successfully evaluated to return the
decision.  But I don't see that PolicyIdentifierList will provide this,
as currently specified.

I propose that PolicyIdentifierList be specified as an ordered list of
PolicySet and Policy ids that were successfully evaluated to reach the
decision.  Each item in the list would have the Policy[Set] id and
version, as currently specified.

Further specification might be necessary for PolicySets, to avoid
ambiguity in the case where two or more children were evaluated
successfully.  In this case, the final id should be the id of the
policyset whose policy-combining-algorithm resulted in the decision that
was returned.  I have not analyzed this much, and we do not use exotic
combining algorithms, so more analysis is required.

It might be possible to use <PolicySetIdReference> and
<PolicyIdReference> in this list, instead of creating new element types.
In this context the EarliestVersion and LatestVersion attributes have no
meaning.

If the IdReferenceType element types are used, the definition of
PolicyIdentifierList would be:

<xs:element name="PolicyIdentifierList"
type="xacml:PolicyIdentifierListType"/>
<xs:complexType name="PolicyIdentifierListType">
  <xs:choice minOccurs="1" maxOccurs="unbounded">
	<xs:element ref="xacml:PolicySetIdReference"/> 
	<xs:element ref="xacml:PolicyIdReference" />
  </xs:choice>
</xs:complexType>

Section 5.50 and the <PolicyIdentifier> element could be deleted.

Regards,
--Paul