All,
Previously we have said that an XACML 3.0 PDP MUST be able to work with
2.0 policies as well. I propose that we instead make this optional.
I don't see the need to force 2.0 on all implementations. Implementers
should be free to implement 3.0 only if they wish.
I am also worried about the technical issues with xpath based policies
when mixing a 2.0 policy and a 3.0 request context. It is difficult
(impossible perhaps?) in general to do it an automated fashion since any
xpaths in the 2.0 policy need to be rewritten to the new request context
schema. In general it is very difficult to locate and understand all
these xpaths since they might for instance be dynamically generated or
use complex forms.
Alternatively one might think that translating the 3.0 request context
into a 2.0 request context whenever the xpath is derived from a 2.0
policy could be a solution, but since the 3.0 request context is
superset of the 2.0 one, this not easy either. It might work in a sense
though, since if the 3.0 request context does not translate back to a
2.0 request context, the 2.0 policy might be nonsensical anyway, but it
seems very complex, and not something we should mandate in all cases.
We should still describe the 2.0 -> 3.0 translation in the spec, for
those who wish to do it and who have simple policies which are easy to
translate.
Regards,
Erik