Hi Erik,
further comments inline.
best regards
jan
> -----Ursprüngliche Nachricht-----
> Von: Erik Rissanen [mailto:erik@axiomatics.com]
> Gesendet: Montag, 28. September 2009 16:33
> An: Jan Herrmann
> Betreff: Re: AW: AW: [xacml] RE: XACML's limitations in the access control
> for XML documents use case - AW: AW: [xacml] CD-1 issue #11: strictness of
> xpath definition
>
> Hi Jan,
>
> See responses inline. BTW, it is a good idea to post to the TC list so
> everybody can see the discussion.
>
> Best regards,
> Erik
>
> Jan Herrmann wrote:
> > Hi Erik, all,
> >
> > in your mail
> > (http://lists.oasis-open.org/archives/xacml/200909/msg00095.html) you
> are
> > identifying three different use cases. Just to make sure that I
> understood
> > your suggestions let me summarise how I understood your use cases and
> add
> > some comments:
> >
> > Use case 1:
> > You have one physical resource (a book) and a XML encoded metadata doc
> that
> > describes the physical resource.
> > You are further saying that XACML can handle this case well. Is this
> correct
> > or do the same problems exist in this use case too?
> > Let me extend your example to demonstrate that similar problems can
> occur:
> >
> >
> >
> >
> > Now assume that you try to define a rule that denies access to a book if
> one
> > of its authors is from the requestors family (i.e. the miller family)
> and
> > born after 1978.
> > Doesnt this imply similar limitations as I described in
> > http://lists.oasis-open.org/archives/xacml/200909/msg00081.html?
> >
>
> I am not sure. At the very least, the attribute selector with an offset
> wouldn't help anything here, since it is a request for a single
> resource, so the PDP would not iterate the resource-id over anything.
>
> I suspect that it is fairly easy to write an xpath expression which
> selects a