Re: [xacml] another wd-20 minor "issue"

[Erik Rissanen <erik@axiomatics.com>]

Rich, All,

I propose the following instead:

This identifier indicates a system entity through which the access request was passed.

urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject

This identifier indicates a system entity associated with a local or remote codebase that generated the request.  Corresponding subject attributes might include the URL from which it was loaded and/or the identity of the code-signer.

urn:oasis:names:tc:xacml:1.0:subject-category:codebase

Best regards,
Erik

On 06/09/2011 03:05 PM, rich levinson wrote:

4DF0C522.30309@oracle.com" type="cite"> We probably should mention the Multi-Decision profile in the context of the following two
subject attributes:

This identifier indicates a system entity through which the access request was passed.  There may be more than one.  No means is provided to specify the order in which they passed the message.

urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject

This identifier indicates a system entity associated with a local or remote codebase that generated the request.  Corresponding subject attributes might include the URL from which it was loaded and/or the identity of the code-signer.  There may be more than one.  No means is provided to specify the order in which they processed the request.

urn:oasis:names:tc:xacml:1.0:subject-category:codebase

Both of these say "There may be more than one.". However, that would only be true if
mulitple-decision capabilities exist, I believe. That may not have been what was originally
intended, but I expect that is probably necessary for consistency.

    Rich