OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] [schema] results of 26 July 2002 subcommittee meeting

  • 1.  Re: [xacml] [schema] results of 26 July 2002 subcommittee meeting

    Posted 07-30-2002 01:15
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] [schema] results of 26 July 2002 subcommittee meeting


    
    The following is my thought on open issues.
    
    34: [Michiharu] XPath Subset
    
    Simon and I agreed that we don't place any restrictions on XPath usage
    in XACML 1.0. Instead, we will give some typical XPath uses in the spec
    as informational. We may define a subset for 1.1 or later.
    
    37. [Michiharu] Use of XPath with namespaces.
    
    We will explain this in usage examples.
    
    45. [All] Can AttributeDesignator be simpler than XPATH?
    
    For the AttributeDesignator without XPath, I feel I can live with any
    proposals posted on the list.
    
    49. [Michiharu] Which regular expression definition to use?
    
    Since Java 2 SDK 1.4 supports regular expression, I think it is sufficient
    while it is not XML Schema compliant. If people prefer regex that is
    XML Schema-compliant, Xerces (Apache XML Parser, free) supports this.
    
    Michiharu Kudo
    
    IBM Tokyo Research Laboratory, Internet Technology
    Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
    
    
    
    
                                                                                                                                      
                          Anne Anderson                                                                                               
                          <Anne.Anderson@Su        To:       XACML TC <xacml@lists.oasis-open.org>                                    
                          n.com>                   cc:                                                                                
                                                   Subject:  [xacml] [schema] results of 26 July 2002 subcommittee meeting            
                          2002/07/27 01:03                                                                                            
                          Please respond to                                                                                           
                          Anne.Anderson                                                                                               
                                                                                                                                      
                                                                                                                                      
    
    
    
    Title:   XACML schema issues
    Author:  Anne Anderson
    Version: 1.20, 02/07/26 (yy/mm/dd)
    Source:
    /net/labeast.east/files2/east/info/projects/isrg/xacml/docs/SCCS/s.SchemaIssues.txt
    
    
    Results of Schema Subcommittee Meeting 26 July 2002.
    Present: Anne, Michiharu, Daniel, Simon, Carlisle, Tim.
    
    Homework for Face-to-Face: study the issues that are still OPEN.
        Read and understand the specific proposals and related
        documents.
    
    ISSUES:
    
    34. [Michiharu] XPath Subset
        http://lists.oasis-open.org/archives/xacml/200207/msg00066.html
    
        Complexity, especially when namespace must be specified.  For
        simple XPATH, context schema must be flattened.  How to limit
        XPATH if using a general-purpose library.  Check in policy
        authoring tool.  Context can use any XPATH expression, but
        policy is limited.  Could XPATH evaluation be done on the
        requester side, with just the extracted elements be handed to
        the PDP?  Should context be designed without any attributes,
        in order to make XPATH simpler (just element /)?
    
        Simon: XPATH functions can take on functionality intended for
        XACML condition functions.
    
        OPEN: Simon and Michiharu will resolve this since they are
        the prime users of XPATH in XACML.
    
    36. [Anne] attribute references and indeterminate results
        Long, verbose, religious, tedious thread starts with:
          http://lists.oasis-open.org/archives/xacml/200207/msg00071.html
    
        Some sub-issues and options
    
        Order of evaluation
        a. In what order MUST arguments be evaluated
           1. Depends on the function: e.g. "or" vs. "orderedOr"
           2. Always implementation-dependent unless function
              specifies an order
           3. Always implementation-dependent
        b. MUST all arguments be evaluated?
           1. Yes
           2. No, if a result can be returned without evaluating all
           3. No, but regardless of order of evaluation, an error or
              missing information causes an exception
        c. MAY all arguments be evaluated (for purpose of reporting
           errors or unavailable information), even if not required
           to reach a function result?
           1. Yes
           2. No
    
        Operational errors
        a. Reporting of errors obtained while evaluating a request by PDP
           1. Reporting is optional
           2. Reporting is mandatory
           3. Reporting is not allowed
        b. Does an operational error
           1. Generate an exception that by-passes further evaluation
           2. Cause an error that is processed by the function
        c. What is the Response returned when an operational error occurs?
           1. Response value of INDETERMINATE
           2. Depends on the Function: value, INDETERMINATE
           2. Depends on Combining Algorithm: PERMIT, DENY, or INDETERMINATE
           3. New Response value of ERROR
        d. If operational errors are reported, how is the type of
           error reported?
           1. Reported via Simon's Status element in response
    
        Missing information
        a. Can a function ignore missing information if the function's
           semantics allow it to be evaluated without that
           information?
           1. Yes: e.g. OR(missing, true, false) can return true
           2. No: missing information generates an exception that
              by-passes further evaluation
        b. Can a function return INDETERMINATE?
           1. Yes: e.g. OR(missing, false, false) can return
              INDETERMINATE, since it MIGHT be true if "missing" were
              available.
           2. No: missing information generates an exception that is
              handled by the most immediate enclosing Combining
              Algorithm
           3. No: missing information must be translated into one of
              the values of the datatype that the function returns.
              Function semantics must specify what this is.
        c. How does a Combining Algorithm handle a Rule, etc. that
              returns INDETERMINATE?
           1. Pass up INDETERMINATE to next higher layer, eventually
              to the Response
           2. Specify via algorithm description how INDETERMINATE is
              handled.  E.g. Deny-Overrides maps INDETERMINATE to
              DENY.
        d. Must all information be supplied by the PEP?
           1. Yes.  Anything not in Request document supplied by PEP
              is INDETERMINATE.  XACML Request treated as physical
              document.
           2. No.  PDP MAY retrieve information not supplied by PEP.
              XACML Request treated as "notional" document.
    
        OPEN: Be prepared to choose options at Face-to-Face.
    
    37. [Michiharu] Use of XPath with namespaces.
        http://lists.oasis-open.org/archives/xacml/200207/msg00056.html
    
        Namespace URI functions and Global Name functions.  Another
        option: namespace prefix in the XPATH expression, but this
        needs some assumptions on the target document.
    
        OPEN: Perhaps turn this over to Simon and Michiharu along
        with #34?
    
    38. [Daniel] Split non-null-set-intersection function
        http://lists.oasis-open.org/archives/xacml/200207/msg00076.html [1)]
        [Tim] http://lists.oasis-open.org/archives/xacml/200207/msg00077.html
    
        Split non-null-set-intersection into intersection(list, list)
        - returning xs:list and non_null(list), returning boolean.
    
        CLOSED: split function as suggested.
    
    39. [Daniel] Add floor(decimal)
        http://lists.oasis-open.org/archives/xacml/200207/msg00076.html [2)]
        [Tim] http://lists.oasis-open.org/archives/xacml/200207/msg00077.html
    
        In addition to round(decimal), floor(decimal) is probably
        necessary
    
        [Tim] "function:integer" was intended to serve as floor(decimal).
    
        CLOSED: add floor(decimal).
    
    40. [Anne] Change XACML "Request" to "Query"?
        http://lists.oasis-open.org/archives/xacml/200207/msg00078.html [1.]
        [Tim] http://lists.oasis-open.org/archives/xacml/200207/msg00079.html
        [Daniel]
    http://lists.oasis-open.org/archives/xacml/200207/msg00080.html
    
        Eve Maler suggests we change the name of "Request" to "Query"
        to conform to SAML usage.
    
        CLOSED: leave as is.  Less change to existing documents and
        we are all used to this term.  No need to conform to SAML
        usage here.
    
    41. [Anne] Is a "notional" XML document for Request a good idea?
        http://lists.oasis-open.org/archives/xacml/200207/msg00078.html [2.]
        [Daniel]
    http://lists.oasis-open.org/archives/xacml/200207/msg00080.html
    
        CLOSED: notional XML document is not a problem.  In XML,
        everything is a virtual document anyway.  Note: how to
        specify "dynamic" attributes that are not supplied in the
        request from the PEP is a separate issue and is still not
        completely resolved.
    
    42. [Anne] ConditionType and ConditionIdType
        http://lists.oasis-open.org/archives/xacml/200207/msg00081.html
    
        What should we use for ConditionIdType when the ConditionType
        argument is a boolean Attribute or AttributeDesignator?
    
        CLOSED: Use function:true, which returns the value of its
        boolean argument.  Note: any function intended to always
        return TRUE for target matching must have a different Id, but
        that is separate from this issue.
    
    43. [Simon] What are the semantics of multiple subjects in a
        Request?
        [Anne]http://lists.oasis-open.org/archives/xacml/200207/msg00093.html
    
        CLOSED.  Anne's posting is adequate.
    
    44. [Simon] Schema for advice
        http://lists.oasis-open.org/archives/xacml/200207/msg00126.html
    
        OPEN.  Discuss at Face-to-Face.
    
    45. [All] Can AttributeDesignator be simpler than XPATH?
        [Anne] http://lists.oasis-open.org/archives/xacml/200207/msg00095.html
        [Simon] http://lists.oasis-open.org/archives/xacml/200207/msg00130.html
        [Michiharu]
    http://lists.oasis-open.org/archives/xacml/200207/msg00131.html
        [Simon example]
    http://lists.oasis-open.org/archives/xacml/200207/msg00152.html
    
        Simon: hard to match on Subject names since X500Name-equals
        functionality is not provided by XPATH.  Could extend XPATH
        with additional functions, but that is complex.
    
        Michiharu: Keep XPATH, even if optional.  Defining XPATH
        subset may not be useful if XPATH is optional.
    
        Simon: XPATH is not just selection, but also functions.  So
        subset may be useful.
    
        OPEN: All three proposals basically same approach.  Authors
        need to combine and present to group at Face-to-Face.
    
    46. [Anne] Replace saml:AssertionType with xacml:AssertionType
        http://lists.oasis-open.org/archives/xacml/200207/msg00097.html
    
        Error in mailing: "sequence" should be "choice".
    
        OPEN: Discuss at Face-to-Face.
    
    47. [Anne]Which date and time functions are mandatory for 1.0?
        http://lists.oasis-open.org/archives/xacml/200207/msg00116.html
        http://lists.oasis-open.org/archives/xacml/200207/msg00153.html
        [Michiharu]
    http://lists.oasis-open.org/archives/xacml/200207/msg00128.html
    
        Options:
        1. Any function that takes or returns a duration data type
           (yearMonthDuration, dayTimeDuration) is not mandatory.
        2. Any function that requires converting a date into a new
           date (such as by addition or subtraction of a duration) is
           not mandatory.  Any function that requires computing a
           duration by subtracting two dates is not mandatory
        3. Not even any date comparisons.  No date-related functions
           at all.
    
        Simon's use case: policy wants attribute to be no older than
        5 hours.  Would have to do this in a private extension or in
        some optional compliance level.  We agreed this functionality
        is very important in policies, but too difficult to make it
        mandatory for 1.0.
    
        CLOSED: Option 1: Any function that takes or returns a
        duration data type (yearMonthDuration, dayTimeDuration) is
        not mandatory for XACML 1.0.
    
    48. [Anne] Reducing number of functions for 1.0
        http://lists.oasis-open.org/archives/xacml/200207/msg00118.html
    
        CLOSED.  Accept this proposal.
    
    49. [Michiharu] Which regular expression definition to use?
        http://lists.oasis-open.org/archives/xacml/200207/msg00129.html
        [Anne]http://lists.oasis-open.org/archives/xacml/200204/msg00132.html
    
        Options:
        1. Use definitions specified in XML Schema part 2: Datatypes,
           Appendix F Regular Expressions. (Bill says same as perl)
        2. Basic regular expressions (BRE) as defined in POSIX
           specification 2:
    
    http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003
        3. Extended regular expressions (ERE) as defined in POSIX
           specification 2 (these add an "or" metacharacter so you
           can match on one of multiple separate regular expressions)
    
    http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003
        4. Use whatever J2SE supports.
    
        OPEN: Anne (and any others) will investigate which
        definitions are implemented in freely available sources
        (e.g. J2SE).
    
    50. [Anne] Need xacml:dayTimeDuration and xacml:yearMonthDuration?
        http://lists.oasis-open.org/archives/xacml/200207/msg00133.html
    
        XML Schema Datatypes document mentions restricting Duration
        to dayTime or yearMonth, but does not actually specify such
        restrictions.  So do we need to define them within XACML?
    
        CLOSED: XPATH 2.0 defines these types (as derivations from from
        xs Duration).  We will define xacml type like XPATH 2.0 does,
        but switch to an XML Schema definition if it becomes available.
    
    51. [Michiharu] XML Access Control Use Case
        http://lists.oasis-open.org/archives/xacml/200207/msg00132.html
    
        Is this a schema issue per se?  One extension required to
        basic schema: function:node-equal (same structure) and
        function:node-match (deep equal).  Follow XPATH 2.0 naming
        for functions.
    
        CLOSED: Accept Michiharu's proposal.
    
    52. [John Howard] Support OR in Target
        http://lists.oasis-open.org/archives/xacml-comment/200207/msg00000.html
    
        Supporting OR in Target, either explicitly or implicitly,
        would make merging Targets easier.
    
        Michiharu: important to support "Target Subject is manager OR
        Subject is secretary".  Currently need to handle this in
        Condition.
    
        OPEN: Defer until Face-to-Face.
    
    53. [Simon] Replace schema listing of functions with xs:QName
        http://lists.oasis-open.org/archives/xacml/200207/msg00148.html
    
        Means unable to check that function name has been spelled
        correctly, etc., but means functions are extensible.
    
        CLOSED: yes.
    
    54. [Simon] Use <AllSubjects>, <AllResources>, <AllActions> elements?
        http://lists.oasis-open.org/archives/xacml/200207/msg00149.html
    
        CLOSED: accept schema 16a definitions of these elements,
        except use <AnySubjects>, <AnyResources>, <AnyActions>.
    
    
    ----------------------------------------------------------------
    To subscribe or unsubscribe from this elist use the subscription
    manager: <http://lists.oasis-open.org/ob/adm.pl>
    
    
    
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC