OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] Comments on defining predicates and functions

  • 1.  [xacml] Comments on defining predicates and functions

    Posted 06-26-2002 18:46
    I asked our internal XML experts for their feedback on our two choices. Since next week is a holiday here, no one has much time to review in detail, but the appended quick comments came in. Anne Anderson Anne.Anderson@Sun.COM Internet Security Research Group, Sun Labs Sun Microsystems, Inc., Burlington, MA =================================================================== Commenter #1: I'd suggest you vote for using XML rather than plain language. The ability to validate at policy creation time is not something to sneeze at... [Anne: but we can't validate at policy creation time, right? We need to have a Request to validate.] =================================================================== Commenter #2: We are leaning toward allowing a policy writer to specify what syntax is being used for element selection: XPATH, SQL, regular expression, etc. Even where XPATH is specified, however, a subset may be sufficient. Michiharu Kudo (IBM) volunteered to propose such a subset. They also need to pick XPath 1.0 or XPath 2.0 (explicitly); I expect 1.0 is the intent. If they decide to subset, I strongly encourage them to use the XML Schema subset, unless it's insufficient (in which case, what sort of subset could they be looking for?) And if they only want element selection, XPointer is a possibility (framework+element). He also wants to support XSLT function calls in policy conditions. I assume this means extension functions in XPath, not functions defined in XSLT 2.0. In this case, the only problem is that they will have to invent some mechanism for declaring the extension namespace and supporting function-available(). And they'll need an "if" construct, probably. This is a pretty big endeavor.