MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Re: [xacml] [schema] results of 26 July 2002 subcommittee meeting
The following is my thought on open issues.
34: [Michiharu] XPath Subset
Simon and I agreed that we don't place any restrictions on XPath usage
in XACML 1.0. Instead, we will give some typical XPath uses in the spec
as informational. We may define a subset for 1.1 or later.
37. [Michiharu] Use of XPath with namespaces.
We will explain this in usage examples.
45. [All] Can AttributeDesignator be simpler than XPATH?
For the AttributeDesignator without XPath, I feel I can live with any
proposals posted on the list.
49. [Michiharu] Which regular expression definition to use?
Since Java 2 SDK 1.4 supports regular expression, I think it is sufficient
while it is not XML Schema compliant. If people prefer regex that is
XML Schema-compliant, Xerces (Apache XML Parser, free) supports this.
Michiharu Kudo
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
Anne Anderson
<Anne.Anderson@Su To: XACML TC <xacml@lists.oasis-open.org>
n.com> cc:
Subject: [xacml] [schema] results of 26 July 2002 subcommittee meeting
2002/07/27 01:03
Please respond to
Anne.Anderson
Title: XACML schema issues
Author: Anne Anderson
Version: 1.20, 02/07/26 (yy/mm/dd)
Source:
/net/labeast.east/files2/east/info/projects/isrg/xacml/docs/SCCS/s.SchemaIssues.txt
Results of Schema Subcommittee Meeting 26 July 2002.
Present: Anne, Michiharu, Daniel, Simon, Carlisle, Tim.
Homework for Face-to-Face: study the issues that are still OPEN.
Read and understand the specific proposals and related
documents.
ISSUES:
34. [Michiharu] XPath Subset
http://lists.oasis-open.org/archives/xacml/200207/msg00066.html
Complexity, especially when namespace must be specified. For
simple XPATH, context schema must be flattened. How to limit
XPATH if using a general-purpose library. Check in policy
authoring tool. Context can use any XPATH expression, but
policy is limited. Could XPATH evaluation be done on the
requester side, with just the extracted elements be handed to
the PDP? Should context be designed without any attributes,
in order to make XPATH simpler (just element /)?
Simon: XPATH functions can take on functionality intended for
XACML condition functions.
OPEN: Simon and Michiharu will resolve this since they are
the prime users of XPATH in XACML.
36. [Anne] attribute references and indeterminate results
Long, verbose, religious, tedious thread starts with:
http://lists.oasis-open.org/archives/xacml/200207/msg00071.html
Some sub-issues and options
Order of evaluation
a. In what order MUST arguments be evaluated
1. Depends on the function: e.g. "or" vs. "orderedOr"
2. Always implementation-dependent unless function
specifies an order
3. Always implementation-dependent
b. MUST all arguments be evaluated?
1. Yes
2. No, if a result can be returned without evaluating all
3. No, but regardless of order of evaluation, an error or
missing information causes an exception
c. MAY all arguments be evaluated (for purpose of reporting
errors or unavailable information), even if not required
to reach a function result?
1. Yes
2. No
Operational errors
a. Reporting of errors obtained while evaluating a request by PDP
1. Reporting is optional
2. Reporting is mandatory
3. Reporting is not allowed
b. Does an operational error
1. Generate an exception that by-passes further evaluation
2. Cause an error that is processed by the function
c. What is the Response returned when an operational error occurs?
1. Response value of INDETERMINATE
2. Depends on the Function: value, INDETERMINATE
2. Depends on Combining Algorithm: PERMIT, DENY, or INDETERMINATE
3. New Response value of ERROR
d. If operational errors are reported, how is the type of
error reported?
1. Reported via Simon's Status element in response
Missing information
a. Can a function ignore missing information if the function's
semantics allow it to be evaluated without that
information?
1. Yes: e.g. OR(missing, true, false) can return true
2. No: missing information generates an exception that
by-passes further evaluation
b. Can a function return INDETERMINATE?
1. Yes: e.g. OR(missing, false, false) can return
INDETERMINATE, since it MIGHT be true if "missing" were
available.
2. No: missing information generates an exception that is
handled by the most immediate enclosing Combining
Algorithm
3. No: missing information must be translated into one of
the values of the datatype that the function returns.
Function semantics must specify what this is.
c. How does a Combining Algorithm handle a Rule, etc. that
returns INDETERMINATE?
1. Pass up INDETERMINATE to next higher layer, eventually
to the Response
2. Specify via algorithm description how INDETERMINATE is
handled. E.g. Deny-Overrides maps INDETERMINATE to
DENY.
d. Must all information be supplied by the PEP?
1. Yes. Anything not in Request document supplied by PEP
is INDETERMINATE. XACML Request treated as physical
document.
2. No. PDP MAY retrieve information not supplied by PEP.
XACML Request treated as "notional" document.
OPEN: Be prepared to choose options at Face-to-Face.
37. [Michiharu] Use of XPath with namespaces.
http://lists.oasis-open.org/archives/xacml/200207/msg00056.html
Namespace URI functions and Global Name functions. Another
option: namespace prefix in the XPATH expression, but this
needs some assumptions on the target document.
OPEN: Perhaps turn this over to Simon and Michiharu along
with #34?
38. [Daniel] Split non-null-set-intersection function
http://lists.oasis-open.org/archives/xacml/200207/msg00076.html [1)]
[Tim] http://lists.oasis-open.org/archives/xacml/200207/msg00077.html
Split non-null-set-intersection into intersection(list, list)
- returning xs:list and non_null(list), returning boolean.
CLOSED: split function as suggested.
39. [Daniel] Add floor(decimal)
http://lists.oasis-open.org/archives/xacml/200207/msg00076.html [2)]
[Tim] http://lists.oasis-open.org/archives/xacml/200207/msg00077.html
In addition to round(decimal), floor(decimal) is probably
necessary
[Tim] "function:integer" was intended to serve as floor(decimal).
CLOSED: add floor(decimal).
40. [Anne] Change XACML "Request" to "Query"?
http://lists.oasis-open.org/archives/xacml/200207/msg00078.html [1.]
[Tim] http://lists.oasis-open.org/archives/xacml/200207/msg00079.html
[Daniel]
http://lists.oasis-open.org/archives/xacml/200207/msg00080.html
Eve Maler suggests we change the name of "Request" to "Query"
to conform to SAML usage.
CLOSED: leave as is. Less change to existing documents and
we are all used to this term. No need to conform to SAML
usage here.
41. [Anne] Is a "notional" XML document for Request a good idea?
http://lists.oasis-open.org/archives/xacml/200207/msg00078.html [2.]
[Daniel]
http://lists.oasis-open.org/archives/xacml/200207/msg00080.html
CLOSED: notional XML document is not a problem. In XML,
everything is a virtual document anyway. Note: how to
specify "dynamic" attributes that are not supplied in the
request from the PEP is a separate issue and is still not
completely resolved.
42. [Anne] ConditionType and ConditionIdType
http://lists.oasis-open.org/archives/xacml/200207/msg00081.html
What should we use for ConditionIdType when the ConditionType
argument is a boolean Attribute or AttributeDesignator?
CLOSED: Use function:true, which returns the value of its
boolean argument. Note: any function intended to always
return TRUE for target matching must have a different Id, but
that is separate from this issue.
43. [Simon] What are the semantics of multiple subjects in a
Request?
[Anne]http://lists.oasis-open.org/archives/xacml/200207/msg00093.html
CLOSED. Anne's posting is adequate.
44. [Simon] Schema for advice
http://lists.oasis-open.org/archives/xacml/200207/msg00126.html
OPEN. Discuss at Face-to-Face.
45. [All] Can AttributeDesignator be simpler than XPATH?
[Anne] http://lists.oasis-open.org/archives/xacml/200207/msg00095.html
[Simon] http://lists.oasis-open.org/archives/xacml/200207/msg00130.html
[Michiharu]
http://lists.oasis-open.org/archives/xacml/200207/msg00131.html
[Simon example]
http://lists.oasis-open.org/archives/xacml/200207/msg00152.html
Simon: hard to match on Subject names since X500Name-equals
functionality is not provided by XPATH. Could extend XPATH
with additional functions, but that is complex.
Michiharu: Keep XPATH, even if optional. Defining XPATH
subset may not be useful if XPATH is optional.
Simon: XPATH is not just selection, but also functions. So
subset may be useful.
OPEN: All three proposals basically same approach. Authors
need to combine and present to group at Face-to-Face.
46. [Anne] Replace saml:AssertionType with xacml:AssertionType
http://lists.oasis-open.org/archives/xacml/200207/msg00097.html
Error in mailing: "sequence" should be "choice".
OPEN: Discuss at Face-to-Face.
47. [Anne]Which date and time functions are mandatory for 1.0?
http://lists.oasis-open.org/archives/xacml/200207/msg00116.html
http://lists.oasis-open.org/archives/xacml/200207/msg00153.html
[Michiharu]
http://lists.oasis-open.org/archives/xacml/200207/msg00128.html
Options:
1. Any function that takes or returns a duration data type
(yearMonthDuration, dayTimeDuration) is not mandatory.
2. Any function that requires converting a date into a new
date (such as by addition or subtraction of a duration) is
not mandatory. Any function that requires computing a
duration by subtracting two dates is not mandatory
3. Not even any date comparisons. No date-related functions
at all.
Simon's use case: policy wants attribute to be no older than
5 hours. Would have to do this in a private extension or in
some optional compliance level. We agreed this functionality
is very important in policies, but too difficult to make it
mandatory for 1.0.
CLOSED: Option 1: Any function that takes or returns a
duration data type (yearMonthDuration, dayTimeDuration) is
not mandatory for XACML 1.0.
48. [Anne] Reducing number of functions for 1.0
http://lists.oasis-open.org/archives/xacml/200207/msg00118.html
CLOSED. Accept this proposal.
49. [Michiharu] Which regular expression definition to use?
http://lists.oasis-open.org/archives/xacml/200207/msg00129.html
[Anne]http://lists.oasis-open.org/archives/xacml/200204/msg00132.html
Options:
1. Use definitions specified in XML Schema part 2: Datatypes,
Appendix F Regular Expressions. (Bill says same as perl)
2. Basic regular expressions (BRE) as defined in POSIX
specification 2:
http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003
3. Extended regular expressions (ERE) as defined in POSIX
specification 2 (these add an "or" metacharacter so you
can match on one of multiple separate regular expressions)
http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003
4. Use whatever J2SE supports.
OPEN: Anne (and any others) will investigate which
definitions are implemented in freely available sources
(e.g. J2SE).
50. [Anne] Need xacml:dayTimeDuration and xacml:yearMonthDuration?
http://lists.oasis-open.org/archives/xacml/200207/msg00133.html
XML Schema Datatypes document mentions restricting Duration
to dayTime or yearMonth, but does not actually specify such
restrictions. So do we need to define them within XACML?
CLOSED: XPATH 2.0 defines these types (as derivations from from
xs Duration). We will define xacml type like XPATH 2.0 does,
but switch to an XML Schema definition if it becomes available.
51. [Michiharu] XML Access Control Use Case
http://lists.oasis-open.org/archives/xacml/200207/msg00132.html
Is this a schema issue per se? One extension required to
basic schema: function:node-equal (same structure) and
function:node-match (deep equal). Follow XPATH 2.0 naming
for functions.
CLOSED: Accept Michiharu's proposal.
52. [John Howard] Support OR in Target
http://lists.oasis-open.org/archives/xacml-comment/200207/msg00000.html
Supporting OR in Target, either explicitly or implicitly,
would make merging Targets easier.
Michiharu: important to support "Target Subject is manager OR
Subject is secretary". Currently need to handle this in
Condition.
OPEN: Defer until Face-to-Face.
53. [Simon] Replace schema listing of functions with xs:QName
http://lists.oasis-open.org/archives/xacml/200207/msg00148.html
Means unable to check that function name has been spelled
correctly, etc., but means functions are extensible.
CLOSED: yes.
54. [Simon] Use <AllSubjects>, <AllResources>, <AllActions> elements?
http://lists.oasis-open.org/archives/xacml/200207/msg00149.html
CLOSED: accept schema 16a definitions of these elements,
except use <AnySubjects>, <AnyResources>, <AnyActions>.
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC