Please comment on the following before Monday's editing session so that a final version may be presented at that time. -Anne Proposed text for new section in Appendix A, to follow A.2 Primitive types. A.3 Structured types An XACML <AttributeValue> MAY contain an instance of a structured xml data type, for example <ds:KeyInfo>. XACML 1.0 supports three ways of comparing such <AttributeValue>s. 1) In some cases, such an <AttributeValue> may be compared using one of the XACML string functions, such as regexp-string-match, described below. This requires the structured data, including its tags and attributes, to be treated as an <xs:string>. In general, this method will not be adequate unless the structured data type is quite simple. 2) An <AttributeSelector> element may be used to select the value of a leaf sub-element of the structured data type. That value may then be compared using one of the supported XACML functions appropriate for its primitive data type. 3) An <AttributeSelector> element may be used to select the value of any node in the structured type. This node may then be compared using one of the XPath-based functions described below. Methods 2) and 3) require support for optional XACML features (XPath expressions and XPath functions) by the PDP. A fourth alternative is for a community of XACML users to define separate attribute identifiers for each leaf sub-element of a given structured data type. Using these identifiers, the Context Handlers used by that community of users can flatten instances of the structured data type into a sequence of <Attribute>s. Each such <Attribute> will have an <AttributeValue> that is and instance of one of the XACML-supported primitive Datatypes, and thus can be compared using the XACML-supported functions. -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692