OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

XACML 3.0 core wd 20 uploaded

  • 1.  XACML 3.0 core wd 20 uploaded

    Posted 05-24-2011 10:33
    Hi all, I have updated the core working draft. I fixed the typos that were discussed on the list. I also tried to reorganize the extended Indeterminate stuff to make it better as has been discussed on the list. While doing that, I made quite a lot of changes, some of which I would like to highlight in particular: - In section 7, Rule/Policy/PolicySet evaluation, there were two normative descriptions in each case. First, there was a table, and then there were also English language descriptions. As the tables are growing with more cases now, the English language text becomes more and more complex, making it likely to contain mistakes and hard to understand. And we should not have two normative descriptions anyway. So I removed the English language texts rather than changing them even more. Let me know if you don't agree with this change. - Also in section 7, Policy/Set evaluation, it said that if the target matches and "All rule values are NotApplicable", then the result is NotApplicable. This is in conflict with the deny-unless-permit and permit-unless-deny algorithms, which would not have any effect in this case. It seems more consistent to let the combining algorithm always decide this, so I changed the table. - I added an explanation about what the input to each combining algorithm represents. I also said that they may work in any order, since this is what has been intended in the past, but the pseudo code has a for loop which works in order. I noticed that section A.3 is in conflict with the definitions of boolean AND and OR. It said that "If an argument of one of these functions were to evaluate to Indeterminate, then the function SHALL be set to"Indeterminate". I changed it to "Unless otherwise specified, if an argument of one of these functions were to evaluate to Indeterminate, then the function SHALL be set to Indeterminate". I made it explicit that an implementation may work differently internally than the definitions presented. Best regards, Erik