[XACML TC people - check me on this, please] On 26 November, tony wilson writes: [xacml-comment] Test IIB025 > This test appears to be designed to illustrate a subject-id mismatch > between the Subject in the Context Request ('Julius Hibbert'), and that > in the Policy's Rule Target ('Julius'). This would lead to a 'not > applicable' Response. > However, the Subject Attribute in the Context Request does not specify > an Issuer, wheras the > SubjectAttributeDesignator in the Rule Target does specify an Issuer. > From my reading of the Attribute matching portion of the spec (section > 7.9.1), this should mean that the two attributes do not match and their > values therefore cannot be compared. As the PDP will thus be unable to > resolve the correct subject-id attribute from the policy, the response > should therefore be 'indeterminate'. Is this a correct interpretation? The SubjectAttributeDesignator will "look for" a context attribute that matches on all the XML attributes in the SubjectAttributeDesignator, in this case, AttributeId, Issuer, and DataType. If there is no Attribute in the context that matches on all of these, then the SubjectAttributeDesignator returns an empty bag. Since there is no "MustBePresent" XML attribute in the SubjectAttributeDesignator of IIB025Policy.xml, the result of the <SubjectMatch is "false", not "Indeterminate", and the policy is "NotApplicable". Anne Anderson -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692