12 messages in org.oasis-open.lists.xacmlRE: [xacml] wd-20 issues| From | Sent On | Attachments |
|---|---|---|
| Paul Tyson | May 26, 2011 9:47 am | |
| Erik Rissanen | May 30, 2011 7:58 am | |
| Tyson, Paul H | May 31, 2011 6:07 am | |
| Erik Rissanen | May 31, 2011 7:57 am | |
| Tyson, Paul H | May 31, 2011 8:39 am | |
| remo...@emc.com | Jun 6, 2011 10:08 pm | |
| Erik Rissanen | Jun 9, 2011 2:26 am | |
| remo...@emc.com | Jun 10, 2011 12:51 am | |
| Erik Rissanen | Jun 15, 2011 4:11 am | |
| rich levinson | Jun 15, 2011 10:50 pm | |
| Erik Rissanen | Jun 16, 2011 1:56 am | |
| remo...@emc.com | Jun 16, 2011 2:10 am |
| Subject: | RE: [xacml] wd-20 issues | |
|---|---|---|
| From: | remo...@emc.com (remo...@emc.com) | |
| Date: | Jun 10, 2011 12:51:22 am | |
| List: | org.oasis-open.lists.xacml | |
Erik,
-----Original Message----- From: Erik Rissanen [mailto:er...@axiomatics.com] Sent: Thursday, June 09, 2011 11:27 AM To: xac...@lists.oasis-open.org Subject: Re: [xacml] wd-20 issues
5.29 Element<AttributeDesignator> "If the Issuer is not present in the attribute designator, then
the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone."
- And Category.
Yes!
Also in 7.3.4 Attribute Matching.
5.48 Element <Result>
"<PolicyIdentifierList> [Optional]
If the ReturnPolicyIdList attribute in the <Request> is true (see section
5.42), a PDP that implements this optional feature MUST return a list of all
policies which were found to be fully applicable."
- This prevents the PDP from skipping evaluation of policies that cannot affect
the decision. IOW, it prevents performance optimizations. This is not a big deal
to me, since the feature is optional, but maybe something to note in the
implementer's guide?
7.3.7 AttributeSelector evaluation
"If the DataType is not one of the primitive types listed above, then the
return values shall be constructed from the nodeset in a manner specified by the
of the particular DataType extension specification."
- "specified by the of the" misses a crucial noun.
7.7 Target evaluation
"An empty target matches any request. Otherwise the target value SHALL be
"Match" if all the AnyOf specified in the target match values in the request
context."
- This conflicts with 5.6 Element <Target>: "For the parent of the <Target>
element to be applicable to the decision request, there MUST be at least one
positive match between each <AnyOf> element of the <Target> element and the
corresponding section of the <Request> element."
Thanks, Ray