Title: RE: [xacml] [model] implementing global deny using 0.8 and meta-policies I support this proposal. I believe it could deal smoothly with the distributed scenario Anne described many times during the last concalls. It goes in the same direction of a previous suggestion of mine (deal with composition and distributed deployment at the ApplicablePolicy level), but does it far better. However, I would suggest some minor observations/amendments (otherwise there is no fun :-)) 1. Maybe this is trivial, but any change to the current schema should keep policies fully embeddable in the Applicable policy element, besides being able to point to them using external functions. In simple environments there will be only one local policy, stated in a single document. 2. I happen not to like very much using the word meta-policy to describe this proposal, for several reasons some of which would be too long to explain in this message. Basically, I regard Anne's technique mainly as a way to define how a global policy can be deployed in distributed, independently maintained retrieval units. In passing, it also solves the problem of stating which criterium should be applied to compose the outcome of such units (this is essential when deny is a possible outcome, as the criterium may have an impact on what actually needs to be retrieved), but I cannot convince myself this requirement is equally important. I believe (but would like to hear the opinion of the industrial researchers on this one) that there will be a default policy composition technique that will be used 99.9% of the times. Therefore, in the schema I would prefer to concentrate the deployment description functionality in a new element, perhaps called ApplicablePolicies , possibly defined as an extension of the base (Applicable)Policy type. This element could optionally (via an attribute) specify the composition criterium as well. Tim, what are your views? Rgds Ernesto Prof. Ernesto Damiani Dipartimento di Tecnologie dell'Informazione Università di Milano - Polo di Crema Via Bramante 65 26013 Crema, Italia tel 0373-898240 fax 0373-898253