These are comments from another reviewer in my work group. -Anne ------- start of forwarded message ------- From: yassir elley <
yassir.elley@Sun.COM> I read through Draft v18d of the XACML spec and had a few editorial comments. Perhaps these can be appropriately forwarded by Anne somewhere. I have divided my editorial comments into general comments and additional comments. The general comments are mostly about Example Two. The additional comments are just typos. Regards, Yassir. General Comments ================ 1) Example two specifies four separate rules, as well as a request context "to which the example rules are intended to be applicable." Unfortunately, none of the example rules are applicable to the request context that is specified. This should probably be fixed. 2) As part of the Target, each of the rules includes a <ResourceMatch> of <ResourceAttributeDesignator AttributeId="urn:...:target-namespace" ...> Since "target-namespace" is not included as a Resource Attribute in the request context, none of the rules will ever match. Perhaps "target-namespace" should be included as a Resource Attribute in the request context. 3) Rules 1, 2, and 3 make use of an AttributeSelector as part of a Condition. The AttribueSelector has an XML attribute named RequestContextPath (RCP). The syntax of the RCP is inconsistent among the rules and should be made consistent. For example: Rule 1: RCP="//ctx:ResourceContent/md:record/" Rule 2: RCP="/ctx:Request//ctx:ResourceContent/md:record/" Rule 3: RCP="/ctx:Request/ctx:Resource/ctx:ResourceContent/md:record/" 4) In Section 5.6 (line 1951), it is somewhat strange that the explanatory text for <Subject> reads "A disjunctive sequence of <Subject> elements." This seems more appropriate for the <Subjects> element. This same pattern occurs with the explanatory text for <Resource> (line 2015) and <Action> (line 2078) Additional Comments (appended by relevant line number) ====================================================== 1041: insert "//" (i.e. "
http://www.medico.com" ;) 1049: insert "//" (i.e. "
http://www.medico.com" ;) 1069: replace "[14]-[72]" with "[15]-[22]" 1085: Rule 1 states "A person may read any record for which he or she is the designated patient." In Example 4.2.4.1, however, the policy-number in the medical record is compared with the policy-number attribute of the subject. This is slightly confusing. 1107: replace "scheams" with "schemas" 1131: replace "xpath-match" with "xpath-node-match" 1184: replace "authorization decision request such, that the value" with "authorization decision request, such that the value" 1201: insert "the" before "explicit value" 1296: replace "xpath-match" with "xpath-node-match" 1346: "md:parentGuardianId" doesn't exist in example medical record. It should be added. 1541: "md:physicianId" doesn't exist in example medical record. There is however a "registrationId". These should be made consistent. 1600: replace "exampes:attributes:group" with "example:attribute:role" 1604: replace "read" with "write" 1675: replace "xpath-match" with "xpath-node-match" 1726: replace ""read"" with ""read" or "write"" 1933: remove duplicate "for the" 2225: insert ",action," after "resource" 2280: <SubjectAttributeDesignator> is missing 2333: replace "Shall" with "SHALL" 2384: replace "contains following attributes" with "contains the following attribute" 2434: insert "in" after "resulting" 2599: replace "Distingwished" with "Distinguished" 2704: replace "dn" with "DN" 3286: resource:resource-id is marked as Optional. Earlier, the spec specifies that "the <Resource> element MUST contain one and only one <Attribute> with AttributeId "urn:...:resource-id". This should probably be marked Mandatory, not Optional. 3920: replace "second" with "third" 4696: replace "CombinginAlogrithm" with "CombiningAlgorithm" ------- end of forwarded message ------- -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692