1. [Anne] Definition of xacml:DecisionType
http://lists.oasis-open.org/archives/xacml/200207/msg00010.html Decision: "Effect" and "FulfilOn" will be restricted to "Permit" and "Deny" 3. [Anne] Optional <Target> in Rule (since often same as Policy)
http://lists.oasis-open.org/archives/xacml/200207/msg00011.html [optional in v15] Options: a. Optional <Target> in Rule (already optional in 15g): semantics ::= "match" b. Define <Target> to be a choice 1. urn:oasis:...:anyTarget, or 2. <Subject>...</Subject>,<Resource>...</Resource>,... and use 1. for this case. c. Use <Subject>urn:oasis:...:any</Subject>, <Resource>urn:oasis:...:any</Resource> for this case. Decision: Decide on Monday 5. [Michiharu] SubjectId Format attribute optional?
http://lists.oasis-open.org/archives/xacml/200207/msg00009.html [1)] [required in v15] NameQualifier is an administrative domain Format is syntax of name (e.g. defining standard): "X500Name", "RFC822Name" Format: optional, or mandatory with "unknown" value and mandatory? Note: policies may not check the Format, so why are we requiring it? Mandatory in Policy? Decision: optional, but default value is "String" 6. [Michiharu] Namespace attribute in AttributeMetaData optional?
http://lists.oasis-open.org/archives/xacml/200207/msg00009.html [2)] [required in v15] Namespace attribute in AttributeMetaData where comes from SAML Evidence. Decision: Both required. For SAML Evidence: AttributeName is "Evidence" and AttributeNamespace is "SAML". 7. [Michiharu] AuthenticationInfo element 0-unbounded?
http://lists.oasis-open.org/archives/xacml/200207/msg00009.html [3)] [0 or 1 in v15] Treat any SAML AuthenticationInfo as one or more Subject Attributes (full SAML Assertion as value)? Decision: AuthenticationInfo element 0-unbounded 8. [Michiharu] Action element needs a URI Namespace and String Action value?
http://lists.oasis-open.org/archives/xacml/200207/msg00009.html [4)] Decision: yes. 12. [Anne] Just Attribute (AttributeMetaData and AttributeValue) and AttributeSelector (XPATH)
http://lists.oasis-open.org/archives/xacml/200207/msg00012.html Decision: v15 schema fixes this satisfactorily: Attribute different in Context (Metadata and value) and Policy (value), and AttributeDesignator (selector) used only in Policy. 13. [Michiharu] Operators
http://lists.oasis-open.org/archives/xacml/200207/msg00017.html [Tim's list]
http://lists.oasis-open.org/archives/xacml/200207/msg00023.html http://lists.oasis-open.org/archives/xacml/200207/msg00031.html [v15 spec list]
http://lists.oasis-open.org/archives/xacml/200207/msg00041.html Decision: Use Tim's list, to be augmented with Set functions. Two (or more) Compliance Profiles: a. Duration functions not required b. Duration functions required 14. [Michiharu] Type promotion
http://lists.oasis-open.org/archives/xacml/200207/msg00017.html Decision: we are happy with Michiharu's promotions and think this solves the "numeric" conversion problem. 15. [Daniel] mapping "numeric"
http://lists.oasis-open.org/archives/xacml/200207/msg00033.html Decision: probably just an issue for floating point values, which are not commonly used in policies, so not a big issue. Daniel and others concerns are welcome to propose a method for mapping these if they still see issues. 16. [Anne] Target matching: a. Just use XPATH? b. Use XPATH for AttributeDesignator plus a specified value to be matched, plus an implied xacml:equals operator? c. As in b, but specify the operator?
http://lists.oasis-open.org/archives/xacml/200207/msg00018.html [Michiharu response]
http://lists.oasis-open.org/archives/xacml/200207/msg00032.html a. XPATH can return 0 nodes, 1 node, or multiple nodes. (specify ALL or ANY match; XPath 2.0 does not support) Example: point to "role" AttributeName. Want to match "at least one". b. A node can be structured in depth (XPath 2.0 supports "sequence-deep-equal"); similar to our [@Format="x" and Value="y"] Decision: XPATH, value plus use correct "equals" for the types specified [as in v15]. Must use "standard" "equals" function for the data type, but we will not spell out what that function is except for xml base types. For example, for comparing an X500 Distinguished Name, the implementation would be expected to support the standard X500 DN MatchingRule. Decision: Where multiple Subjects or Resources elements occur in a Target, then ALL the specified matches must be satisfied. Decision: Where the AttributeDesignator in a single Subjects or Resources element returns multiple nodes, then the match is satisfied if at least one of the returned nodes matches the supplied comparison value. Decide Monday on whether sequence-deep-equal supported. 17. [Anne] Target matching a. ANY b. ALL c. Specify
http://lists.oasis-open.org/archives/xacml/200207/msg00018.html [Michiharu response]
http://lists.oasis-open.org/archives/xacml/200207/msg00032.html Decision: ALL match for multiple Subjects or Resources elements; AT-LEAST-ONE match for multiple nodes within a single Subjects or Resources element. Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692