OASIS eXtensible Access Control Markup Language (XACML) TC

Paul, All,

I find this proposal hard to follow because it mixes all the different 
schemes into a single long description. I agree that the spec currently 
lacks a good summary of in which order the various transforms should be 
done, but I think it is better to describe each transformation of  a 
multiple request in a separate section, in a more modular fashion. Also, 
I have a preference for doing the Cartesian product of repeated 
categories before the scope transformation. I just find that easier to 
work with mentally, but that might be a personal preference. :-)

I would propose something like this (with some material stolen from Paul):

This profile specifies four different schemes by which multiple requests 
for authorization decisions can be encoded into a single XACML 

Paul,

I have not had the time to review all the proposed changes yet, but 
regarding question 2 below: the namespace context of an xpath expression 
data type is already defined by the current core draft. From section 
A.2, page 101, line 3888 (PDF CD-1):

"When the value is encoded in an 

 

> 

                                                

					
                                                    

        
                                                
				
                                                

                                                    
                                                        
                                                        Original Message
                                                
                                                Original Message-----
> From: Erik Rissanen [mailto:erik@axiomatics.com] 
> Sent: Thursday, October 22, 2009 07:49
> To: Tyson, Paul H
> Cc: xacml@lists.oasis-open.org
> Subject: Re: [xacml] MAD conceptual model
> 
> Paul,
> 
> I have not had the time to review all the proposed changes 
> yet, but regarding question 2 below: the namespace context of 
> an xpath expression data type is already defined by the 
> current core draft. From section A.2, page 101, line 3888 (PDF CD-1):
> 
> "When the value is encoded in an 

Tyson, Paul H wrote:
> However, there appears to be some motivation for defining it better in
> the Policy evaluation model, to allow more predictable xpath
> resource-ids to be generated for multiple decision requests, to
> facilitate regexp matching.  That is, the policy writer would be able to
> specify what namespace prefixes will be used, so that rules testing the
> string value of the xpath expression can be written without regard to
> the namespace binding used in the request.  I'm not terribly sympathetic
> with this, because I haven't seen a good XACML use case for it.  But on
> principle, any module that deals with xml namespaces ought to be free to
> define its own set of bindings to insulate itself from external changes.
>   

Paul,

There are possibilities in XPath to write expressions which do not use 
namespace prefixes at all.

For instance:

*[local-name()='Foo'][namespace-uri()='http://example.com/bar'][3]

(Pardon me if I got it slightly wrong. My Xpath skills are a bit rusty 
at the moment.)

Best regards,
Erik