OASIS eXtensible Access Control Markup Language (XACML) TC

Hi Erik,

Based on discussion of 2.0->3.0 and use of the Categories
in the admin spec, I have gone thru the admin spec and assembled
the following comments. Most are typos and questions that I had
reading the text that did not have obvious answers without looking
at the whole thing and making deductions. However, I left those
questions in the comments below to be considered as suggestions
for clarifying the text for readers. Also there are a couple of
items for the core spec. Finally, I rev'd v17 accidentally, but then
checked and it appears v18 is simply the AnyOf, AllOf replacement
so the line numbers did not change.

imo, the spec looks pretty solid, but I'd like to make sure that I
understand things correctly. In fact, my overall suggestion is that
section 4 be beefed up considerably with clear concepts that
would be helpful reading the rest of the spec. As it is now, what
I found was that it was very obscure and difficult to understand
until I walked thru the example, which is very good, notwithstanding
the comments that I made to it below.

Comments:

	comments on Delegation profile

	page 1: should it be called the 

		XACML v3.0 Administration and Delegation Profile

	  or something more descriptive of what it actually is than
	  the current title, "Administrative Policy", indicates?

	core spec line 2154 should this say "policy" instead of "policy set"?

	core spec line 1966, 1968 should 

Hi Rich,

Thanks a lot for the detailed review and comments! See responses inline.

Best regards, Erik

Rich Levinson wrote:
> Hi Erik,
>
> Based on discussion of 2.0->3.0 and use of the Categories
> in the admin spec, I have gone thru the admin spec and assembled
> the following comments. Most are typos and questions that I had
> reading the text that did not have obvious answers without looking
> at the whole thing and making deductions. However, I left those
> questions in the comments below to be considered as suggestions
> for clarifying the text for readers. Also there are a couple of
> items for the core spec. Finally, I rev'd v17 accidentally, but then
> checked and it appears v18 is simply the AnyOf, AllOf replacement
> so the line numbers did not change.

Yes, it's easy to miss the latest version. Since Anne left nobody is 
updating the web page. We need to find someone to do the updates.

> imo, the spec looks pretty solid, but I'd like to make sure that I
> understand things correctly. In fact, my overall suggestion is that
> section 4 be beefed up considerably with clear concepts that
> would be helpful reading the rest of the spec. As it is now, what
> I found was that it was very obscure and difficult to understand
> until I walked thru the example, which is very good, notwithstanding
> the comments that I made to it below.

Actually section 4 used to be longer, but I thought it was so obscure 
already, so I just gave up on it and made it shorter. As the text used 
to be, it used different terminology than the rest of the doc and tried 
to define the basic operations of the processing model in a couple of 
sentences. This just didn't work.

I suggest that we do not attempt to make a summary of the processing 
model. Instead we can rewrite section 4 to explain the basic principle 
that policy must be traced back to a trusted source, but don't try to 
explain any of the technical details here. It is understood better from 
the actual processing model, which itself is a just a few pages long 
anyway and the example.

Here is a proposal for an updated text for section four:

***
The purpose of the delegation model is to make it possible to express 
permissions about the right to issue policies and to verify issued 
policies against these permissions.

A policy may contain a 

Hi Erik,

I am just starting to go thru your comments, but fyi, the core version
I am looking at is xacml-3.0-core-spec-wd-04-en.doc from
the wd4 zip file. The sections are 5.13 

Hi Rich,

Thanks I found them now. I also see now why I couldn't find the