OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Proposal for changed context node for xpaths in 3.0

    Posted 01-30-2008 15:43
    All,
    
    At the previous TC call I promised to write up a concrete proposal for 
    changing the context node of xpaths in XACML 3.0. This (long) email 
    provides such a proposal and explains the benefits.
    
    I do not propose any changes for the XACML 2.0 errata, since this change 
    would break many 2.0 policies. 3.0 would not lose any functionality 
    which is available in 2.0, but policies have to be expressed slightly 
    differently.
    
    The motivation for the change is to allow for some kinds of 
    optimizations which are possible when xpaths and attribute designators 
    are separate and when xpaths are categorized (by attribute category) so 
    the PDP can say something about where in the request context the xpath 
    could apply. See the end of this email for a discussion of these 
    optimizations.
    
    I would also like to include some normative text which restricts the 
    form of the xpath. I want to prevent that xpaths may "climb" outside the 
    


  • 2.  Re: [xacml] Proposal for changed context node for xpaths in 3.0

    Posted 02-16-2008 07:04
    Just bumping this up to the agenda for the next TC call.
    
    Regards,
    Erik
    
    
    Erik Rissanen wrote:
    > All,
    >
    > At the previous TC call I promised to write up a concrete proposal for 
    > changing the context node of xpaths in XACML 3.0. This (long) email 
    > provides such a proposal and explains the benefits.
    >
    > I do not propose any changes for the XACML 2.0 errata, since this 
    > change would break many 2.0 policies. 3.0 would not lose any 
    > functionality which is available in 2.0, but policies have to be 
    > expressed slightly differently.
    >
    > The motivation for the change is to allow for some kinds of 
    > optimizations which are possible when xpaths and attribute designators 
    > are separate and when xpaths are categorized (by attribute category) 
    > so the PDP can say something about where in the request context the 
    > xpath could apply. See the end of this email for a discussion of these 
    > optimizations.
    >
    > I would also like to include some normative text which restricts the 
    > form of the xpath. I want to prevent that xpaths may "climb" outside 
    > the