I agree, especially when you say that we do not need to reinvent the wheel.. Having worked a lot on XML query languages in the last couple of years (I even was at the first W3C workshop on this subject ;-), interested people may take a look at
http://xerox.elet.polimi.it ) my personal opinion is that XQuery gives you a lot of expressive power.. and, at least for now, lots of trouble we do not need. There is a standard, robust, well-understood mechanism to refer to portions of XML data, and it is XPath (BTW, as you know most of the academic proposals towards access control languages for XML, including our own, exploit this mechanism for identifying objects). XSLT is based on XPath, and it seems very reasonable XSLT/XPath to be used to extract and process parts of an XACML policies' repository. Needless to say I do NOT think we should get involved with any lower level issue such as serialization etc.: our XACML info may travel inside a HTTP packet, be stored on disk as a XML text file or serialized using any other mechanism. Comments welcome... ernesto