OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  2.0 compatibility

    Posted 08-24-2007 11:53
    All,
    
    Previously we have said that an XACML 3.0 PDP MUST be able to work with 
    2.0 policies as well. I propose that we instead make this optional.
    
    I don't see the need to force 2.0 on all implementations. Implementers 
    should be free to implement 3.0 only if they wish.
    
    I am also worried about the technical issues with xpath based policies 
    when mixing a 2.0 policy and a 3.0 request context. It is difficult 
    (impossible perhaps?) in general to do it an automated fashion since any 
    xpaths in the 2.0 policy need to be rewritten to the new request context 
    schema. In general it is very difficult to locate and understand all 
    these xpaths since they might for instance be dynamically generated or 
    use complex forms.
    
    Alternatively one might think that translating the 3.0 request context 
    into a 2.0 request context whenever the xpath is derived from a 2.0 
    policy could be a solution, but since the 3.0 request context is 
    superset of the 2.0 one, this not easy either. It might work in a sense 
    though, since if the 3.0 request context does not translate back to a 
    2.0 request context, the 2.0 policy might be nonsensical anyway, but it 
    seems very complex, and not something we should mandate in all cases.
    
    We should still describe the 2.0 -> 3.0 translation in the spec, for 
    those who wish to do it and who have simple policies which are easy to 
    translate.
    
    Regards,
    Erik