All,
The dnsName and ipAddress datatypes are missing from the list of data
types identifiers in the conformance section. Their corresponding bag
functions as missing as well (type-one-and-only, etc).
Unless there are objections, I will update the errata and the next 3.0
working draft by adding the following identifiers:
urn:oasis:names:tc:xacml:2.0:data-type:ipAddress
urn:oasis:names:tc:xacml:2.0:data-type:dnsName
urn:oasis:names:tc:xacml:2.0:function:ipAddress-one-and-only
urn:oasis:names:tc:xacml:2.0:function:dnsName-one-and-only
urn:oasis:names:tc:xacml:2.0:function:ipAddress-bag-size
urn:oasis:names:tc:xacml:2.0:function:dnsName-bag-size
urn:oasis:names:tc:xacml:2.0:function:ipAddress-is-in
urn:oasis:names:tc:xacml:2.0:function:dnsName-is-in
urn:oasis:names:tc:xacml:2.0:function:ipAddress-bag
urn:oasis:names:tc:xacml:2.0:function:dnsName-bag
Note that I am using "2.0" in the identifiers since they are for 2.0
data types, although the general section on bag functions just mentions
"1.0". I think that section should also be updated.
For instance, it says:
· urn:oasis:names:tc:xacml:1.0:function:type-one-and-only
This function SHALL take a bag of ‘type’ values as an argument and SHALL
return a value
of ‘-type’. It SHALL return the only value in the bag. If the bag does
not have one and only
one value, then the expression SHALL evaluate to "Indeterminate".
It should say urn:oasis:names:tc:xacml:X.X:function:type-one-and-only,
as it already says in other similar places.
For the other data types there are also set functions, such as union,
intersection, etc. There are no set functions on dnsName and ipAddress
in the list of function identifiers. I am not sure if that is by design
or by mistake. The definitions of the set functions depend on the
definition of the -equal function for the particular data type. But,
there are no -equal functions defined for ipAddress and dnsName. There
are -regexp-match for them though, so it might be by design. I suspect
that it's a mistake. If so, the following identifiers need to be added
as well:
urn:oasis:names:tc:xacml:2.0:function:ipAddress-equal
urn:oasis:names:tc:xacml:2.0:function:dnsName-equal
urn:oasis:names:tc:xacml:2.0:function:ipAddress-intersection
urn:oasis:names:tc:xacml:2.0:function:dnsName-intersection
urn:oasis:names:tc:xacml:2.0:function:ipAddress-at-least-one-member-of
urn:oasis:names:tc:xacml:2.0:function:dnsName-at-least-one-member-of
urn:oasis:names:tc:xacml:2.0:function:ipAddress-union
urn:oasis:names:tc:xacml:2.0:function:dnsName-union
urn:oasis:names:tc:xacml:2.0:function:ipAddress-subset
urn:oasis:names:tc:xacml:2.0:function:dnsName-subset
urn:oasis:names:tc:xacml:2.0:function:ipAddress-set-equals
urn:oasis:names:tc:xacml:2.0:function:dnsName-set-equals
Regards,
Erik