W3C home > Mailing lists > Public > public-device-apis@w3.org > June 2010

Re: Schema for “XACML Profile” (was: CfC: Policy Profile: XACML FPWD)

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Tue, 22 Jun 2010 14:43:49 +0200
To: public-device-apis <public-device-apis@w3.org>
Message-ID: <1277210629.1845.735.camel@localhost>
Le mardi 22 juin 2010 à 13:25 +0200, Dominique Hazael-Massieux a écrit :
> Oh, indeed, I had missed that:
> http://bondi.omtp.org/1.1/security/bondixml.rnc.txt
> 
> It looks more complete, but also less strict vis a vis the spec than my
> own attempt; I'll look into integrating my additions to that base schema
> and send it to the list.

There it is (it depends on the XML Signature schema, not included here).

Dom

namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"

signed-policy =
  element signed-policy {
    signed-policy.attlist,
    ((Signature, (policy-set | policy)+)
     | ((policy-set | policy)+, Signature, (policy-set | policy)*))
  }
signed-policy.attlist &= empty

policy-set =
  element policy-set {
    policy-set.attlist, target?, (policy-set | policy)*
  }
policy-set.attlist &=
  [ a:defaultValue = "deny-overrides" ]
  attribute combine {
    "deny-overrides" | "permit-overrides" | "first-matching-target"
  }?,
  attribute id { text }?

policy = element policy { policy.attlist, target?, rule* }
policy.attlist &=
  [ a:defaultValue = "deny-overrides" ]
  attribute combine {
    "deny-overrides" | "permit-overrides" | "first-applicable"
  }?,
  attribute description { text }?,
  attribute id { text }?

rule = element rule { rule.attlist, condition? }
rule.attlist &=
  [ a:defaultValue = "permit" ]
  attribute effect {
    "permit"
    | "prompt-blanket"
    | "prompt-session"
    | "prompt-oneshot"
    | "deny"
  }?

target = element target { target.attlist, subject+ }
target.attlist &= empty

subject = element subject { subject.attlist, subject-match+ }
subject.attlist &= empty

condition =
  element condition {
    condition.attlist,
    (condition | subject-match | resource-match | environment-match)+
  }
condition.attlist &=
  [ a:defaultValue = "and" ] attribute combine { "and" | "or" }?

match-attrs =
  attribute match { text }?,
  [ a:defaultValue = "glob" ]
  attribute func { "equal" | "glob" | "regexp" }?

subject-match = element subject-match { subject-match.attlist, text }
subject-match.attlist &= match-attrs
subject-match.attlist &= subject-attr-attr

match-model = (text | subject-attr | resource-attr | environment-attr)*

resource-match =
  element resource-match { resource-match.attlist, match-model }
resource-match.attlist &= match-attrs
resource-match.attlist &= resource-attr-attr

environment-match =
  element environment-match { environment-match.attlist, match-model }
environment-match.attlist &= match-attrs
environment-match.attlist &= environment-attr-attr

subject-attr-attr = attribute attr { xsd:string { pattern = "(class|install-uri|id|version|distributor-key-cn|distributor-key-fingerprint|distributor-key-root-cn|distributor-key-root-fingerprint|author-key-cn|author-key-fingerprint|author-key-root-cn|author-key-root-fingerprint|widget-attr:name|uri|sign-schema|uri-top|key-root-cn|key-root-fingerprint)(\.scheme|\.authority|\.scheme-authority|\.host|\.path)?" } }
subject-attr = element subject-attr { subject-attr.attlist, empty }
subject-attr.attlist &= subject-attr-attr
resource-attr = element resource-attr { resource-attr.attlist, empty }
resource-attr-attr = attribute attr { xsd:string { pattern = "(api-feature|device-cap|(param:[A-Z_a-z][0-9A-Z_a-z]*)|feature-install-uri|feature-key-cn|feature-key-root-cn|feature-key-root-fingerprint)(\.scheme|\.authority|\.scheme-authority|\.host|\.path)?" } }
resource-attr.attlist &= resource-attr-attr
environment-attr =  element environment-attr { environment-attr.attlist, empty }
environment-attr-attr = attribute attr { xsd:string { pattern = "(roaming|bearer-type)" } }
environment-attr.attlist &= environment-attr-attr

# Reference the XML Signatures DTD. We do not enforce the restriction
# that <Reference> must not contain a <Transforms> element.
include "xmldsig-core-schema.rnc"

start = signed-policy
start |= policy-set
start |= policy
Received on Tuesday, 22 June 2010 12:43:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:14:10 GMT