OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-comment] Possible typos in XACML 3.0 Core specification (SubjectCategory, PolicyIdentifierList)

I will offer my opinions, but I defer in advance to Erik.


#1. I think you are right. We missed removing SubjectCategory from this section.


#2. You have a point. The phrase “the <Condition>” is not correct, since a policy may have more than one rule and hence more than one <Condition> element. I think the original intent would be better met by saying that for a PolicySet the Target must match and for a Policy the Target must match and at least one of the Conditions in the Rules must evaluate to true.


Your suggestion would include policies in which the Target matched, but there were no applicable Rules, which doesn’t quite correspond to my notion of an Applicable Policy.


In any event it seems we will need to create and process an errata document.




From: Cyril DANGERVILLE [mailto:cyril.dangerville@thalesgroup.com]
Sent: Monday, May 09, 2016 8:13 PM
To: xacml-comment@lists.oasis-open.org
Cc: cyril.dangerville@thalesgroup.com
Subject: [xacml-comment] Possible typos in XACML 3.0 Core specification (SubjectCategory, PolicyIdentifierList)


I just want to report two possible issues in the text of the XACML 3.0 Core specification. I suspect this may have been raised before but could not find any track of it, so I just want to make sure.

1) The mention of 'SubjectCategory' attribute in section 8.1:

This attribute does not exist anymore in XACML 3.0 model, so I assume it should be removed from the list of extensible XML attribute types.


2) The definition of an applicable policy to be returned in <PolicyIdentifierList>, section 5.48:


It says: "all policies where both the <Target> matched and the <Condition> evaluated to true...". Since <Condition> is only in a <Rule>, shouldn't the text say only this instead "all policies where the <Target> matched" (period) ?

Thanks for any clarification if I'm wrong.




Cyril Dangerville, CISSP


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]