That sounds good to me. I believe that is consistent
w the process we used for XACML 2.0, so now that
3.0 is in OS state, we should start the errata process:
agenda item for next mtg.
On 3/4/2013 6:38 AM, Erik Rissanen
I would say that if you are not supporting multiple decisions,
then it's an error. It might be the case that it's not
explicitly mentioned in the spec. We should add this to an
errata item or an implementer guide.
On 2013-03-04 01:00, rich levinson wrote:
The "issue" here is that it does not appear to me that it
anywhere that a single PDP authorization decision is based on
a set of <Attributes> element each with a different
that there can be at most one <Attributes> element of a
Category involved in a single decision.
I have been working under the assumption that this is true for
quite a while now, but recently I have tried to find the
documentation to unambiguously validate that claim, and I have
been unable to do so, leaving me with the conclusion that either
the claim is wrong and that more than one <Attributes>
of the same Category can be involved in a single decision (which
I believe to be false), or that the documentation should be
somewhere to emphasis this fundamental point.
The description in the 3.0 spec says:
"<Attributes> [One to Many]
While the text above might lead one to believe that one might
Specifies information about attributes of the request context
listing a sequence of <Attribute> elements associated
One or more <Attributes> elements are allowed.
Different <Attributes> elements with different
categories are used
to represent information about the subject, resource, action,
environment or other categories of the access request."
want to consider only including one <Attributes> element
per Category, it says nothing definitive one way or the other.
I am well aware that the multi-decision profile uses multiple
<Attributes> elements of the same Category as the basis
generating a cross-product to generate "Individual Decision
Requests", where in section 2.3.3 it states:
"For each combination of repeated <Attributes>
Again, this text is useful wrt providing the ContextHandler w
one Individual Decision Request SHALL be created.
This Individual Request SHALL be identical to the original
request context with one exception:
only one <Attributes> element
of each repeated category
SHALL be present."
info it needs to generate multiple decision requests, however,
it does not imply that this is a requirement from the PDP side.
For example, what would happen if someone submitted a
Request with two <Attributes> elements, each for a
Target resource, but both with the same Category, namely:
Would this be a request for which the user was asking for access
to both resources at the same time? Or would this be an error
if the multi-profile was not supported?
I don't believe questions like this can be answered w the info
the specs as they currently exist. (unless, of course, I have
something, which is entirely possible :) )