- From: Frederick Hirsch via cvs-syncmail <cvsmail@w3.org>
- Date: Mon, 21 Jun 2010 12:53:12 +0000
- To: public-dap-commits@w3.org
Update of /sources/public/2009/dap/policy In directory hutz:/tmp/cvs-serv6864 Modified Files: Profile.html Log Message: fix additional validation errors Index: Profile.html =================================================================== RCS file: /sources/public/2009/dap/policy/Profile.html,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -r1.8 -r1.9 --- Profile.html 21 Jun 2010 12:33:29 -0000 1.8 +++ Profile.html 21 Jun 2010 12:53:10 -0000 1.9 @@ -196,19 +196,31 @@ <h3>Condition</h3> <p>The <code>condition</code> of a <code>rule</code> specifies extra criteria that need to be matched before the - <code>rule</code> becomes applicable. </p> <p> The + <code>rule</code> becomes applicable. </p> + <p> The <code>condition</code> consists of one or more attribute matches, combined with AND and OR operators into an - arbitrarily nested tree. </p> <p> The AND operator is - evaluated as follows: <ul> <li>is determined and has + arbitrarily nested tree. </p> + <p> The AND operator is + evaluated as follows:</p> + <ul> + <li>is determined and has value “no match” if any input is “no match”</li> <li>otherwise is undetermined if any input is - undetermined</li> <li>otherwise is determined and has - value “match”</li> </ul> The OR operator is evaluated as - follows: <ul> <li>is determined and has value “match” if - any input is “match”</li> <li>otherwise is undetermined - if any input is undetermined</li> <li>otherwise is - determined and has value “no match”</li> </ul> </p> + undetermined</li> + <li>otherwise is determined and has + value “match”</li> + </ul> + <p> The OR operator is evaluated as + follows:</p> + <ul> + <li>is determined and has value “match” if + any input is “match”</li> + <li>otherwise is undetermined + if any input is undetermined</li> + <li>otherwise is + determined and has value “no match”</li> + </ul> </section> <!-- decision --> <section id="policy"> <h3>Policy</h3> @@ -385,68 +397,95 @@ <h4>Deny-Overrides Combining Algorithm</h4> <p>The Deny-Overrides Combining Algorithm is usable as a policy-combining algorithm and as a rule-combining - algorithm. </p> <p>The overall result of a - <code>query</code> is evaluated as follows: <ul> <li>if any + algorithm. </p> + <p>The overall result of a + <code>query</code> is evaluated as follows:</p> + <ul> + <li>if any child evaluates to "deny", then the overall result is - "deny";</li> <li>otherwise, if any child is + "deny";</li> + <li>otherwise, if any child is undetermined, then the overall result is - undetermined;</li> <li>otherwise, if any child evaluates + undetermined;</li> + <li>otherwise, if any child evaluates to "prompt-oneshot", then the overall result is - "prompt-oneshot";</li> <li>otherwise, if any child + "prompt-oneshot";</li> + <li>otherwise, if any child evaluates to "prompt-session", then the overall result - is "prompt-session";</li> <li>otherwise, if any child + is "prompt-session";</li> + <li>otherwise, if any child evaluates to "prompt-blanket", then the overall result - is "prompt-blanket";</li> <li>otherwise, if any child + is "prompt-blanket";</li> + <li>otherwise, if any child evaluates to "permit", then the overall result is - "permit";</li> <li>otherwise, the overall result is - "inapplicable".</li> </ul> </p> + "permit";</li> + <li>otherwise, the overall result is + "inapplicable".</li> + </ul> </section> <!-- deny-overrides-combining-algorithm --> <section id="permit-overrides-combining-algorithm"> <h4>Permit-Overrides Combining Algorithm</h4> <p>The Permit-Overrides Combining Algorithm is usable as a policy-combining algorithm and as a rule-combining algorithm. The overall result of a <code>query</code> is - evaluated as follows: <ul> <li>if any child evaluates to + evaluated as follows:</p> + <ul> + <li>if any child evaluates to "permit", then the overall result is "permit";</li> <li>otherwise, if any child is undetermined, then the - overall result is undetermined;</li> <li>otherwise, if + overall result is undetermined;</li> + <li>otherwise, if any child evaluates to "prompt-blanket", then the - overall result is "prompt-blanket";</li> <li>otherwise, + overall result is "prompt-blanket";</li> + <li>otherwise, if any child evaluates to "prompt-session", then the - overall result is "prompt-session";</li> <li>otherwise, + overall result is "prompt-session";</li> + <li>otherwise, if any child evaluates to "prompt-oneshot", then the - overall result is "prompt-oneshot";</li> <li>otherwise, + overall result is "prompt-oneshot";</li> + <li>otherwise, if any child evaluates to "deny", then the overall - result is "deny";</li> <li>otherwise, the overall result - is "inapplicable".</li> </ul> </p> + result is "deny";</li> + <li>otherwise, the overall result + is "inapplicable".</li> + </ul> </section> <!-- permit-overrides-combining-algorithm --> <section id="first-applicable-rule-combining-algorithm"> <h4>First-Applicable Rule Combining Algorithm</h4> <p>The First-Applicable Rule Combining Algorithm is - usable as a rule-combining algorithm. </p> <p>The + usable as a rule-combining algorithm. </p> + <p>The overall result of a query is evaluated by processing the - children in written order as follows: <ul> <li>if the + children in written order as follows: </p> + <ul> + <li>if the current child is determined and does not evaluate to "inapplicable", the overall result is the result of the - current child;</li> <li>otherwise, if the current child + current child;</li> + <li>otherwise, if the current child is undetermined, the overall result is - undetermined;</li> <li>otherwise, if the current child + undetermined;</li> + <li>otherwise, if the current child is determined and has value "inapplicable", continue processing at the next child. If already processing the final child, the overall result is "inapplicable".</li> - </ul> </p> + </ul> </section> <!-- first-applicable-rule-combining-algorithm --> <section id="first-matching-target-policy-combining-algorithm"> <h4>First-Matching-Target Policy Combining Algorithm</h4> <p>The First-Matching-Target Policy Combining Algorithm - is usable as a policy-combining algorithm. </p> <p>The + is usable as a policy-combining algorithm. </p> + <p>The overall result of a query is evaluated by processing the - children in written order as follows: <ul> <li>if the + children in written order as follows: </p> + <ul> + <li>if the current child has a target that matches the overall result is the result of the current child;</li> <li>otherwise, continue processing at the next child. If already processing the final child, the overall result - is "inapplicable".</li> </ul> </p> + is "inapplicable".</li> + </ul> </section> <!-- first-matching-target-policy-combining-algorithm --> </section> <!-- combining-algorithm --> <section id="effect"> @@ -468,23 +507,32 @@ <p>The prompt-oneshot, prompt-session and prompt-blanket effects allow requested access after explicit confirmation by the user. The implementation MUST prompt the user - before allowing access. </p> <p>The implementation MUST only + before allowing access. </p> + <p>The implementation MUST only provide the user the option to grant permission up to the maximum - allowed by the <code>effect</code>, ie: <ul> + allowed by the <code>effect</code>, ie: </p> + <ul> <li>prompt-oneshot: "deny always", "deny this time", - "allow this time";</li> <li>prompt-session: + "allow this time";</li> + <li>prompt-session: prompt-oneshot options plus "deny for this session", - "allow for this session";</li> <li>prompt-blanket: - prompt-session options plus "allow always".</li> </ul> + "allow for this session";</li> + <li>prompt-blanket: + prompt-session options plus "allow always".</li> + </ul> + <p> The implementation MUST provide a means to respond with any available option that is applicable in the - context in which the prompt is displayed. </p> <p> Any + context in which the prompt is displayed. </p> + <p> Any default action MUST be at least as restrictive as - "deny this time". </p> <p> If the user has the option of + "deny this time". </p> + <p> If the user has the option of deferring a response indefinitely and the user does not respond explicitly, the requested access MUST NOT be - allowed. </p> <p> + allowed. </p> + <p> For a widget, a session lasts while the application is still running and the terminal has not been switched off or placed in standby mode. </p> <p> For a website, @@ -581,7 +629,7 @@ <p><code><rule></code> contains an optional <code><condition></code>. </p> </section> - <section id="target"> + <section id="target-element"> <h4>The <code><target></code> Element</h4> <p><code><target></code> contains one or more <code><subject></code> elements. </p> @@ -604,7 +652,7 @@ <code><resource-match></code> or <code><environment-match></code>. </p> </section> - <section id="subject-match, resource-match, environment-match"> + <section id="subject-resource-environment-match"> <h4>The <code><subject-match></code>, <code><resource-match></code>, <code><environment-match></code> Elements</h4> <p><code><subject-match></code> represents a condition on a single subject attribute to be matched in @@ -644,7 +692,7 @@ the literal text to match after expanding any attributes. </p> </section> - <section id="subject-attr, resource-attr, environment-attr"> + <section id="subject-resource-environment-attr"> <h4>The <code><subject-attr></code>, <code><resource-attr></code>, <code><environment-attr></code> Elements</h4> <p> Each of these elements represents the value of a @@ -729,23 +777,40 @@ </section> <section class='website-subject-attribute-definitions'> <h2>Web Site Subject Attribute Definitions</h2> -<table> <caption> <dfn - id="website-subject-attributes-table">Website Subject - Attributes Table</dfn></caption> <thead> <tr> <th - scope="col">Attribute</th> <th scope="col">Type</th> <th - scope="col">Value</th> <th scope="col">Meaning</th> - </tr> </thead> <tbody> <tr> <td>class</td> - <td>string</td> <td>"website"</td> <td>Has the value - "website" if and only if the subject is of this - class.</td> </tr> <tr> <td rowspan="4">sign-schema</td> - <td rowspan="4">string</td> </tr> <tr> <td>"" (empty +<table> <caption> + <dfn id="website-subject-attributes-table">Website Subject + Attributes Table</dfn></caption> + <thead> + <tr> + <th scope="col">Attribute</th> + <th scope="col">Type</th> + <th scope="col">Value</th> + <th scope="col">Meaning</th> + </tr> + </thead> + <tbody> + <tr> + <td>class</td> + <td>string</td> + <td>"website"</td> + <td>Has the value "website" if and only if the subject is of this + class.</td> + </tr> + <tr> + <td >sign-schema</td> + <td>string</td> +<td>"" (empty string)</td> <td>Not signed.</td> </tr> <tr> + <td >sign-schema</td> + <td>string</td> <td>"tls"</td> <td>The page was fetched using HTTPS and the browser has verified that the site certificate’s Common Name matches the host that the page was fetched from, and it has already applied its own policies regarding whether the root certificate is in an acceptable trust domain.</td> </tr> <tr> + <td >sign-schema</td> + <td>string</td> <td>"tls-ev"</td> <td>As "tls", and, additionally, the site certificate has an extended validation field and the browser's internal policy allows that information to @@ -784,7 +849,7 @@ the following attributes: </p> <table> <caption> - <dfn id="widget-subject-attributes-table">Widget Resource + <dfn id="widget-resource-attributes-table">Widget Resource Attributes Table</dfn></caption> <thead> <tr> <th scope="col">Attribute</th> <th scope="col">Type</th> <th @@ -844,7 +909,7 @@ <section class='context-attribute-definitions'> <h2>Context Attribute Definitions</h2> <table> <caption> <dfn - id="widget-subject-attributes-table">Context + id="context-attributes-table">Context Attributes Table</dfn></caption> <thead> <tr> <th scope="col">Attribute</th> <th scope="col">Type</th> <th scope="col">Value</th> <th scope="col">Comment</th>
Received on Monday, 21 June 2010 12:53:14 UTC