All members should make sure to review Gilbert's document prior to the call
on Thursday. Here are my comments:
First and foremost, thanks for producing this Gilbert!
In answer to the question "Should the Policy Decision Point be in scope for
XACML?". Yes. Although I had not initially envisioned the PDP as part of our
scope, I think we need to make it in scope as a matter of practicality.
Forming yet another TC seems like a bad idea and until the PDP is in scope
for someone, the policy language won't be used. This is similar to the
access protocol question that came up earlier.
The definition of Authorization Decision Assertions: "Assertions that
correspond to the result of an authorization decision. Such assertions must
contain the binary result of the decision (permitted/not permitted) and may
contain additional "advisory" information that serves to act as an
explanation for the decision" appears inadequate. Based on examples from
SAML and at least what I envision being produced by a PDP the authorization
decision will include the operation that is permitted, e.g. read, write,
provision, execute, provision, use, etc.
We need a definition for Authorization Attributes before we can address the
concern "I am disturbed about the fact that Authorization Attributes appear
in Figure 1 but don't appear in Figure 2. Are there attributes who's schema
are likely to closely coupled with the Authorization Policies defined within
the security domain? Does the definition of these attributes then fall
within the scope of XACML?"