On 9 July, Michiharu Kudoh writes: [xacml] Issues about XACML Request Context schema > 1) In SAML Request, Format attribute in the NameIdentifier element is > optional while the same Format attribute of SubjectId element in XACML > Context is mandatory. I think the Format attribute of SubjectId element > might be optional. I propose instead that a value of "urn:oasis:names:tc:xacml:identifiers:Unspecified" be used as the value of "Format" when it is not otherwise available. An "anyURI" or "string" name is underspecified, in my opinion, where it is intended to take on arbitrary values specified elsewhere. > 2) In my sample XSLT transformation, I just copied the whole SAML Evidence > element into SubjectAttribute element as an Evidence attribute of the > subject in XACML Context. If we take this approach, a Namespace attribute > in the AttributeMetaData element in XACML context has no corresponding > information in SAML request. However this Namespace attribute is mandatory > in XACML. I think the Namespace attribute of AttributeMetaData element > might be optional. Again, I think a "string" AttributeName is underspecified. Let's use "urn:oasis:names:tc:xacml:identifiers:Unspecified" as the value for "AttributeNamespace" when no other value is available. > 3) In XACML Context, there is an AuthenticationInfo element in the Subject > element that is zero or one occurrence. I think that it is not clear which > authentication information in the SAML request corresponds to > AuthenticationInfo in the XACML Context. In addition, SAML request may have > multiple authentication information about the subject. In that case, single > AuthenticationInfo element does not work. Then I think that the occurrence > of AuthenticationInfo should be zero to unlimited, or the element itself > should be deleted from the XACML context (I mean any authentication > information goes into the subject attribute section) I agree. > 4) In XACML Context, Action element has no attribute while Action element > in SAML request has Namespace attribute. It seems to me that the action in > SAML request is more appropriate format. I think we treat the Action element namespace as being implied by the Resource. I think it would be OK to add an optional ActionNamespace xml attribute to our Action, however. Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692