CHANGE REQUEST: 1. B.5 Subject attributes: Change initial paragraph from: "These identifiers indicate attributes of a subject. At most one of each of these attributes is associated with each subject. Each attribute associated with authentication relates to the same authentication event. To: "These identifiers indicate attributes of a subject. When used, they SHALL appear within a <Subject> element of the Request Context. They SHALL be accessed via a SubjectAttributeDesignator, a QualifiedSubjectAttributeDesignator, or an AttributeSelector pointing into a <Subject> element of the Request Context. At most one of each of these attributes is associated with each subject. Each attribute associated with authentication included within a single <Subject> element relates to the same authentication event. 2. B.6 Resource attributes: Add introductory sentence saying: "These identifiers indicate attributes of the resource being accessed. When used, they SHALL appear within the <Resource> element of the Request Context. They SHALL be accessed via a ResourceAttributeDesignator or an AttributeSelector pointing into the <Resource> element of the Request Context." 3. B.7 Action attributes: Add introductory sentence saying: "These indentifiers indicate attributes of the resource being accessed. When used, they SHALL appear within the <Action> element of the Request Context. They SHALL be accessed via a ActionAttributeDesignator or an AttributeSelector pointing into the <Action> element of the Request Context." 4. B.8 Environment attributes: Add introductory sentence saying: "These identifiers indicate attributes of the environment within which the request is to be evaluated. When used, they SHALL appear within the <Resource> element of the Request Context. They SHALL be accessed via an EnvironmentAttributeDesignator or an AttributeSelector pointing into the <Environment> element of the Request Context." RATIONALE: the way in which these attributes are to be used is not explicitly stated anywhere. While the names imply a usage, it would be more clear to implementors if the usage were more explicit. Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692