RE: [xacml] New working drafts posted

["Tyson, Paul H" <PTyson@bellhelicopter.textron.com>]

There are still problems with xpath, AttributeSelector, and Content.  In
section 5.30 of the core spec wd14:

1. Lines 2454/2457 appear to repeat the meaning of lines 2431/2439.
Lines 2454/2457 should be deleted.

2. Lines 2458/2461 unnecessarily restrict the @Path xpath expressions to
those that select nodes from an XML document.  It would exclude node
comparisons, counting, positional queries, and other useful expressions
for testing XML structure.  Erik thought this would be difficult to
implement because of ambiguous return types from these expressions, but
in fact they will be better-defined than XML nodes, which will appear as
string values when put into the XACML context.  The @DataType attribute
of AttributeSelector will control the return type to the XACML context,
and if this type cannot be constructed from the return value of the
xpath expression the application must signal an error.  But this will
not be the common case, and when it does arise the policy author can
adjust the xpath expression to cast the value to a suitable argument
type for the constructor function.  As I suggested earlier, this
paragraph should be replaced with:

=== proposed wd14 lines 2458/2461 ===
If the XPath expression selects a sequence of XML nodes (text,
attribute, element, processing instruction, or comment nodes), then the
string representation of the value of each node MUST be converted to an
attribute value of the specified data-type, and the result of the
AttributeSelector is the bag of the attribute values generated from all
the selected nodes.
=====================================

3. Lines 2466/2469 regarding the definition of the XML infoset that is
subject to xpath processing:  The xacml:Content element does not belong
in this infoset.  The XML that is subject to xpath evaluation should be
the sequence of nodes that are the children of the xacml:Content
element.  This can include zero or more elements, comments, processing
instructions, and text nodes.  I propose replacing the first sentence of
this paragraph with:

=== proposed wd14 lines 2466/2467 ===
The Xpath expression MUST be evaluated in a context which is equivalent
to a node sequence formed of all the child nodes of the <Content>
element, and all the attributes and descendants of those nodes.
Namespace declarations ... [unchanged]
======================================

Note that this makes user-defined attributes of xacml:Content invisible
to xpath expressions, so we should consider removing "anyAttribute" from
the schema definition of xacml:Content.

Regards,
--Paul

> -----Original Message-----
> From: Erik Rissanen [mailto:erik@axiomatics.com] 
> Sent: Thursday, December 17, 2009 05:47
> To: xacml
> Subject: [xacml] New working drafts posted
> 
> All,
> 
> I just posted core wd 14 and associated profiles. This fixes 
> all the issues which were posted to the list yesterday. With 
> these changes, the only things needed updating are those 
> things which Mary will allow, if we would vote on these files.
> 
> The changes are
> 
> => Fix formatting of all references to OASIS specs
> 
> => Fix the typos in hierarchical which Rich posted about
> 
> => Update acknowledgments. See my email here:
> http://lists.oasis-open.org/archives/xacml/200912/msg00109.html
> 
> => Make combined decision in multiple decision request 
> indeterminate if there are obligations or advice
> 
> => Fix some other minor formatting issues
> 
> => Fix cross references in schema files
> 
> => Fix references to XACML 1.0 and 1.1 in SAML profile schema files
> 
> => Update copyright date to 2009 in SAML profile schema files
> 
> BTW, I just realized that there is no copyright statement in 
> the core schema. I think there was some discussion a few 
> years ago about the 2.0 schema files and a copyright 
> statement which was missing, so I added in one for 3.0 core. 
> I am attaching the updated file with this email.
> 
> Best regards,
> Erik
>