For people operating in an X.509 Attribute Certificate environment, or supporting some kind of assertion format other than saml, it would be nice if XACML did not force people to support SAML. Currently, we have the following saml artifacts: - PolicySetAssertion and PolicyAssertion in PolicySetType are of type saml:AssertionType - PolicySetStatementType extends saml:StatementAbstractType - PolicyStatementType extends saml:StatementAbstractType Why not define XACML:AssertionType as follows: <complexType name="AssertionType"> <sequence> <element ref="xacml:PolicySetStatement"/> <element ref="xacml:PolicyStatement"/> </sequence> <attribute name="MajorVersion" type="integer" use="optional"/> <attribute name="MinorVersion" type="integer" use="optional"/> <attribute name="AssertionID" type="xs:anyURI" use="optional"/> <attribute name="Issuer" type="string" use="optional"/> <attribute name="IssueInstant" type="dateTime" use="optional"/> </complexType> And remove the "xs:extension base="saml:StatementAbstractType" from PolicySetStatementType and PolicyStatementType. Now, it is still very easy to map saml Assertions to XACML, it is easier to ensure that when we use an xacml:AssertionType that it is either a PolicySetStatement or a PolicyStatement, and it is no longer necessary to support SAML. Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692