MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Re: [xacml] Issues about XACML Request Context schema
I have no objection for using
"urn:oasis:names:tc:xacml:identifiers:Unspecified"when no information is
available, but what if the policy writer do not want to specify a namespace
of the attribute (e.g. more conciseness rather than interoperability)? I
wonder whether we should FORCE people to specify a namespace of each
attribute (namespace attribute is mandatory) or we RECOMMEND people to
specify namespace but it is up to the policy writer's decision (namespace
is optional). I would prefer the latter.
I think "urn:oasis:names:tc:xacml:1.0:identifiers:Unspecified" is better.
>I think we treat the Action element namespace as being implied by
>the Resource. I think it would be OK to add an optional
>ActionNamespace xml attribute to our Action, however.
In SAML, action namespace for UNIX file permission is
"urn:oasis:names:tc:SAML:1.0:action:unix" and an actual action parameter is
e.g. 0754. Since the current XACML allows only URI for the action
parameter, it does not fit with the case of 0754. That's why I suggested to
use SAML like syntax. It means that we use STRING type for the action
parameter with the namespace URI.
Best
Michiharu
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
Anne Anderson
<Anne.Anderson@Su To: XACML TC <xacml@lists.oasis-open.org>
n.com> cc:
Subject: Re: [xacml] Issues about XACML Request Context schema
2002/07/10 00:10
Please respond to
Anne.Anderson
On 9 July, Michiharu Kudoh writes: [xacml] Issues about XACML Request
Context schema
> 1) In SAML Request, Format attribute in the NameIdentifier element is
> optional while the same Format attribute of SubjectId element in XACML
> Context is mandatory. I think the Format attribute of SubjectId element
> might be optional.
I propose instead that a value of
"urn:oasis:names:tc:xacml:identifiers:Unspecified" be used as the
value of "Format" when it is not otherwise available.
An "anyURI" or "string" name is underspecified, in my opinion,
where it is intended to take on arbitrary values specified
elsewhere.
> 2) In my sample XSLT transformation, I just copied the whole SAML
Evidence
> element into SubjectAttribute element as an Evidence attribute of the
> subject in XACML Context. If we take this approach, a Namespace
attribute
> in the AttributeMetaData element in XACML context has no corresponding
> information in SAML request. However this Namespace attribute is
mandatory
> in XACML. I think the Namespace attribute of AttributeMetaData element
> might be optional.
Again, I think a "string" AttributeName is underspecified. Let's use
"urn:oasis:names:tc:xacml:identifiers:Unspecified" as the value
for "AttributeNamespace" when no other value is available.
> 3) In XACML Context, there is an AuthenticationInfo element in the
Subject
> element that is zero or one occurrence. I think that it is not clear
which
> authentication information in the SAML request corresponds to
> AuthenticationInfo in the XACML Context. In addition, SAML request may
have
> multiple authentication information about the subject. In that case,
single
> AuthenticationInfo element does not work. Then I think that the
occurrence
> of AuthenticationInfo should be zero to unlimited, or the element itself
> should be deleted from the XACML context (I mean any authentication
> information goes into the subject attribute section)
I agree.
> 4) In XACML Context, Action element has no attribute while Action
element
> in SAML request has Namespace attribute. It seems to me that the action
in
> SAML request is more appropriate format.
I think we treat the Action element namespace as being implied by
the Resource. I think it would be OK to add an optional
ActionNamespace xml attribute to our Action, however.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC