- From: Frederick Hirsch via cvs-syncmail <cvsmail@w3.org>
- Date: Mon, 21 Jun 2010 12:53:12 +0000
- To: public-dap-commits@w3.org
Update of /sources/public/2009/dap/policy
In directory hutz:/tmp/cvs-serv6864
Modified Files:
Profile.html
Log Message:
fix additional validation errors
Index: Profile.html
===================================================================
RCS file: /sources/public/2009/dap/policy/Profile.html,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -d -r1.8 -r1.9
--- Profile.html 21 Jun 2010 12:33:29 -0000 1.8
+++ Profile.html 21 Jun 2010 12:53:10 -0000 1.9
@@ -196,19 +196,31 @@
<h3>Condition</h3>
<p>The <code>condition</code> of a <code>rule</code> specifies
extra criteria that need to be matched before the
- <code>rule</code> becomes applicable. </p> <p> The
+ <code>rule</code> becomes applicable. </p>
+ <p> The
<code>condition</code> consists of one or more attribute
matches, combined with AND and OR operators into an
- arbitrarily nested tree. </p> <p> The AND operator is
- evaluated as follows: <ul> <li>is determined and has
+ arbitrarily nested tree. </p>
+ <p> The AND operator is
+ evaluated as follows:</p>
+ <ul>
+ <li>is determined and has
value “no match” if any input is “no match”</li>
<li>otherwise is undetermined if any input is
- undetermined</li> <li>otherwise is determined and has
- value “match”</li> </ul> The OR operator is evaluated as
- follows: <ul> <li>is determined and has value “match” if
- any input is “match”</li> <li>otherwise is undetermined
- if any input is undetermined</li> <li>otherwise is
- determined and has value “no match”</li> </ul> </p>
+ undetermined</li>
+ <li>otherwise is determined and has
+ value “match”</li>
+ </ul>
+ <p> The OR operator is evaluated as
+ follows:</p>
+ <ul>
+ <li>is determined and has value “match” if
+ any input is “match”</li>
+ <li>otherwise is undetermined
+ if any input is undetermined</li>
+ <li>otherwise is
+ determined and has value “no match”</li>
+ </ul>
</section> <!-- decision -->
<section id="policy">
<h3>Policy</h3>
@@ -385,68 +397,95 @@
<h4>Deny-Overrides Combining Algorithm</h4>
<p>The Deny-Overrides Combining Algorithm is usable as a
policy-combining algorithm and as a rule-combining
- algorithm. </p> <p>The overall result of a
- <code>query</code> is evaluated as follows: <ul> <li>if any
+ algorithm. </p>
+ <p>The overall result of a
+ <code>query</code> is evaluated as follows:</p>
+ <ul>
+ <li>if any
child evaluates to "deny", then the overall result is
- "deny";</li> <li>otherwise, if any child is
+ "deny";</li>
+ <li>otherwise, if any child is
undetermined, then the overall result is
- undetermined;</li> <li>otherwise, if any child evaluates
+ undetermined;</li>
+ <li>otherwise, if any child evaluates
to "prompt-oneshot", then the overall result is
- "prompt-oneshot";</li> <li>otherwise, if any child
+ "prompt-oneshot";</li>
+ <li>otherwise, if any child
evaluates to "prompt-session", then the overall result
- is "prompt-session";</li> <li>otherwise, if any child
+ is "prompt-session";</li>
+ <li>otherwise, if any child
evaluates to "prompt-blanket", then the overall result
- is "prompt-blanket";</li> <li>otherwise, if any child
+ is "prompt-blanket";</li>
+ <li>otherwise, if any child
evaluates to "permit", then the overall result is
- "permit";</li> <li>otherwise, the overall result is
- "inapplicable".</li> </ul> </p>
+ "permit";</li>
+ <li>otherwise, the overall result is
+ "inapplicable".</li>
+ </ul>
</section> <!-- deny-overrides-combining-algorithm -->
<section id="permit-overrides-combining-algorithm">
<h4>Permit-Overrides Combining Algorithm</h4>
<p>The Permit-Overrides Combining Algorithm is usable as
a policy-combining algorithm and as a rule-combining
algorithm. The overall result of a <code>query</code> is
- evaluated as follows: <ul> <li>if any child evaluates to
+ evaluated as follows:</p>
+ <ul>
+ <li>if any child evaluates to
"permit", then the overall result is "permit";</li>
<li>otherwise, if any child is undetermined, then the
- overall result is undetermined;</li> <li>otherwise, if
+ overall result is undetermined;</li>
+ <li>otherwise, if
any child evaluates to "prompt-blanket", then the
- overall result is "prompt-blanket";</li> <li>otherwise,
+ overall result is "prompt-blanket";</li>
+ <li>otherwise,
if any child evaluates to "prompt-session", then the
- overall result is "prompt-session";</li> <li>otherwise,
+ overall result is "prompt-session";</li>
+ <li>otherwise,
if any child evaluates to "prompt-oneshot", then the
- overall result is "prompt-oneshot";</li> <li>otherwise,
+ overall result is "prompt-oneshot";</li>
+ <li>otherwise,
if any child evaluates to "deny", then the overall
- result is "deny";</li> <li>otherwise, the overall result
- is "inapplicable".</li> </ul> </p>
+ result is "deny";</li>
+ <li>otherwise, the overall result
+ is "inapplicable".</li>
+ </ul>
</section> <!-- permit-overrides-combining-algorithm -->
<section id="first-applicable-rule-combining-algorithm">
<h4>First-Applicable Rule Combining Algorithm</h4>
<p>The First-Applicable Rule Combining Algorithm is
- usable as a rule-combining algorithm. </p> <p>The
+ usable as a rule-combining algorithm. </p>
+ <p>The
overall result of a query is evaluated by processing the
- children in written order as follows: <ul> <li>if the
+ children in written order as follows: </p>
+ <ul>
+ <li>if the
current child is determined and does not evaluate to
"inapplicable", the overall result is the result of the
- current child;</li> <li>otherwise, if the current child
+ current child;</li>
+ <li>otherwise, if the current child
is undetermined, the overall result is
- undetermined;</li> <li>otherwise, if the current child
+ undetermined;</li>
+ <li>otherwise, if the current child
is determined and has value "inapplicable", continue
processing at the next child. If already processing the
final child, the overall result is "inapplicable".</li>
- </ul> </p>
+ </ul>
</section> <!-- first-applicable-rule-combining-algorithm -->
<section id="first-matching-target-policy-combining-algorithm">
<h4>First-Matching-Target Policy Combining Algorithm</h4>
<p>The First-Matching-Target Policy Combining Algorithm
- is usable as a policy-combining algorithm. </p> <p>The
+ is usable as a policy-combining algorithm. </p>
+ <p>The
overall result of a query is evaluated by processing the
- children in written order as follows: <ul> <li>if the
+ children in written order as follows: </p>
+ <ul>
+ <li>if the
current child has a target that matches the overall
result is the result of the current child;</li>
<li>otherwise, continue processing at the next child. If
already processing the final child, the overall result
- is "inapplicable".</li> </ul> </p>
+ is "inapplicable".</li>
+ </ul>
</section> <!-- first-matching-target-policy-combining-algorithm -->
</section> <!-- combining-algorithm -->
<section id="effect">
@@ -468,23 +507,32 @@
<p>The prompt-oneshot, prompt-session and prompt-blanket
effects allow requested access after explicit
confirmation by the user. The implementation MUST prompt the user
- before allowing access. </p> <p>The implementation MUST only
+ before allowing access. </p>
+ <p>The implementation MUST only
provide the
user the option to grant permission up to the maximum
- allowed by the <code>effect</code>, ie: <ul>
+ allowed by the <code>effect</code>, ie: </p>
+ <ul>
<li>prompt-oneshot: "deny always", "deny this time",
- "allow this time";</li> <li>prompt-session:
+ "allow this time";</li>
+ <li>prompt-session:
prompt-oneshot options plus "deny for this session",
- "allow for this session";</li> <li>prompt-blanket:
- prompt-session options plus "allow always".</li> </ul>
+ "allow for this session";</li>
+ <li>prompt-blanket:
+ prompt-session options plus "allow always".</li>
+ </ul>
+ <p>
The implementation MUST provide a means to respond
with any available option that is applicable in the
- context in which the prompt is displayed. </p> <p> Any
+ context in which the prompt is displayed. </p>
+ <p> Any
default action MUST be at least as restrictive as
- "deny this time". </p> <p> If the user has the option of
+ "deny this time". </p>
+ <p> If the user has the option of
deferring a response indefinitely and the user does not
respond explicitly, the requested access MUST NOT be
- allowed. </p> <p>
+ allowed. </p>
+ <p>
For a widget, a session lasts while the application is
still running and the terminal has not been switched off
or placed in standby mode. </p> <p> For a website,
@@ -581,7 +629,7 @@
<p><code><rule></code> contains an optional
<code><condition></code>. </p>
</section>
- <section id="target">
+ <section id="target-element">
<h4>The <code><target></code> Element</h4>
<p><code><target></code> contains one or more
<code><subject></code> elements. </p>
@@ -604,7 +652,7 @@
<code><resource-match></code> or
<code><environment-match></code>. </p>
</section>
- <section id="subject-match, resource-match, environment-match">
+ <section id="subject-resource-environment-match">
<h4>The <code><subject-match></code>, <code><resource-match></code>, <code><environment-match></code> Elements</h4>
<p><code><subject-match></code> represents a
condition on a single subject attribute to be matched in
@@ -644,7 +692,7 @@
the literal text to match after expanding any
attributes. </p>
</section>
- <section id="subject-attr, resource-attr, environment-attr">
+ <section id="subject-resource-environment-attr">
<h4>The <code><subject-attr></code>, <code><resource-attr></code>, <code><environment-attr></code> Elements</h4>
<p>
Each of these elements represents the value of a
@@ -729,23 +777,40 @@
</section>
<section class='website-subject-attribute-definitions'>
<h2>Web Site Subject Attribute Definitions</h2>
-<table> <caption> <dfn
- id="website-subject-attributes-table">Website Subject
- Attributes Table</dfn></caption> <thead> <tr> <th
- scope="col">Attribute</th> <th scope="col">Type</th> <th
- scope="col">Value</th> <th scope="col">Meaning</th>
- </tr> </thead> <tbody> <tr> <td>class</td>
- <td>string</td> <td>"website"</td> <td>Has the value
- "website" if and only if the subject is of this
- class.</td> </tr> <tr> <td rowspan="4">sign-schema</td>
- <td rowspan="4">string</td> </tr> <tr> <td>"" (empty
+<table> <caption>
+ <dfn id="website-subject-attributes-table">Website Subject
+ Attributes Table</dfn></caption>
+ <thead>
+ <tr>
+ <th scope="col">Attribute</th>
+ <th scope="col">Type</th>
+ <th scope="col">Value</th>
+ <th scope="col">Meaning</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>class</td>
+ <td>string</td>
+ <td>"website"</td>
+ <td>Has the value "website" if and only if the subject is of this
+ class.</td>
+ </tr>
+ <tr>
+ <td >sign-schema</td>
+ <td>string</td>
+<td>"" (empty
string)</td> <td>Not signed.</td> </tr> <tr>
+ <td >sign-schema</td>
+ <td>string</td>
<td>"tls"</td> <td>The page was fetched using HTTPS and
the browser has verified that the site certificate’s
Common Name matches the host that the page was fetched
from, and it has already applied its own policies
regarding whether the root certificate is in an
acceptable trust domain.</td> </tr> <tr>
+ <td >sign-schema</td>
+ <td>string</td>
<td>"tls-ev"</td> <td>As "tls", and, additionally, the
site certificate has an extended validation field and
the browser's internal policy allows that information to
@@ -784,7 +849,7 @@
the following attributes: </p>
<table>
<caption>
- <dfn id="widget-subject-attributes-table">Widget Resource
+ <dfn id="widget-resource-attributes-table">Widget Resource
Attributes Table</dfn></caption>
<thead>
<tr> <th scope="col">Attribute</th> <th scope="col">Type</th> <th
@@ -844,7 +909,7 @@
<section class='context-attribute-definitions'>
<h2>Context Attribute Definitions</h2>
<table> <caption> <dfn
- id="widget-subject-attributes-table">Context
+ id="context-attributes-table">Context
Attributes Table</dfn></caption> <thead> <tr> <th
scope="col">Attribute</th> <th scope="col">Type</th> <th
scope="col">Value</th> <th scope="col">Comment</th>
Received on Monday, 21 June 2010 12:53:14 UTC