- From: Dominique Hazael-Massieux via cvs-syncmail <cvsmail@w3.org>
- Date: Mon, 21 Jun 2010 13:43:13 +0000
- To: public-dap-commits@w3.org
Update of /sources/public/2009/dap/policy
In directory hutz:/tmp/cvs-serv12503
Modified Files:
Profile.html
Log Message:
removed (some of) the abusive <code> wrappers
Index: Profile.html
===================================================================
RCS file: /sources/public/2009/dap/policy/Profile.html,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -d -r1.13 -r1.14
--- Profile.html 21 Jun 2010 13:35:37 -0000 1.13
+++ Profile.html 21 Jun 2010 13:43:11 -0000 1.14
@@ -47,7 +47,7 @@
<section id="values-and-types">
<h3>Values and Types</h3>
<p>Each value in an expression is conceptually a
- <code>bag</code> of potentially multiple simple values. The
+ bag of potentially multiple simple values. The
bag can be empty, containing no simple values. In
practice almost every value encountered in the model is
either an empty bag or a bag containing a single simple
@@ -152,10 +152,10 @@
</section> <!-- subject-specification -->
<section id="target">
<h3>Target</h3>
- <p>The <code>target</code> of a <code>policy</code> or
- <code>policy set</code> identifies the set of
- <code>subjects</code> to which the <code>policy</code> or
- <code>policy set</code> applies. </p>
+ <p>The <code>target</code> of a policy or
+ policy set identifies the set of
+ subjects to which the policy or
+ policy set applies. </p>
<p>The <code>target</code>
consists of a disjunctive sequence of <code>subject</code>
specifications. A target specification is
@@ -173,13 +173,13 @@
</section> <!-- target -->
<section id="decision">
<h3>Decision</h3>
- <p>If determined, the result of a <code>rule</code> or
- <code>policy</code> or <code>policy set</code> is a
- <code>decision</code>, either “not applicable” or any one of
- the <a href="#effect"><code>effects</code></a> “permit”,
- “prompt-blanket”, “prompt-session”, “prompt-oneshot” or
- “deny”. </p> <p> The result of a <code>rule</code> or
- <code>policy</code> or <code>policy set</code> may be
+ <p>If determined, the result of a rule or
+ policy or policy set is a
+ decision, either “not applicable” or any one of
+ the <a href="#effect">effects</a> “<code>permit</code>”,
+ “<code>prompt-blanket</code>”, “<code>prompt-session</code>”, “<code>prompt-oneshot</code>” or
+ “<code>deny</code>”. </p> <p> The result of a rule or
+ policy or policy set may be
undetermined under conditions specified for each below.
</p>
</section> <!-- decision -->
@@ -234,8 +234,8 @@
<code>policy</code> optionally has an id. If an
implementation provides a means to provision a security
policy fragment to replace an existing one, this id can
- be used to identify the <code>policy</code> or <code>policy
- set</code> to replace. No management of ids is mandated,
+ be used to identify the policy or policy
+ set to replace. No management of ids is mandated,
therefore it is recommended that a standardised textual
representation of a UUID should be used as the id. </p>
<p> The result of a policy is determined if and only if
@@ -243,12 +243,12 @@
</section> <!-- policy -->
<section id="policy-set">
<h3>Policy Set</h3>
- <p>The overall security framework is a <code>policy
- set</code>. </p> <p> A <code>policy set</code> is a target
+ <p>The overall security framework is a policy
+ set. </p> <p> A <code>policy-set</code> is a target
with a list of zero or more <code>policies</code> and
<code>policy sets</code> combined using a <a
- href="#combining-algorithm"><code>policy-combining
- algorithm</code></a>. Where a directive attribute query
+ href="#combining-algorithm">policy-combining
+ algorithm</a>. Where a directive attribute query
finds more than one applicable directive attribute set,
the first one is used. </p> <p> A <code>policy set</code>
optionally has an id. If an implementation provides a
@@ -267,16 +267,16 @@
fragment of policy to add to the existing security
policy framework or to replace a part of it, the
<code>policy document</code> is the unit of addition or
- replacement. A <code>policy document</code> can be either a
- <code>policy</code> or a <code>policy set</code>. </p>
+ replacement. A policy document can be either a
+ <code>policy</code> or a <code>policy-set</code>. </p>
</section> <!-- policy-document -->
<section id="signed-policy-document">
<h3>Signed Policy Document</h3>
<p>Where the implementation supports deployment of
- policy fragments as above, the <code>signed policy
- document</code> is the cryptographically signed unit of
- deployment. It contains one or more <code>policy
- documents</code> as well as a single signature. </p>
+ policy fragments as above, the signed policy
+ documentx is the cryptographically signed unit of
+ deployment. It contains one or more policy
+ documents as well as a single signature. </p>
</section> <!-- signed-policy-document -->
<section id="matching-function">
<h3>Matching Function</h3>
@@ -380,26 +380,26 @@
</section> <!-- modifier-function -->
<section id="combining-algorithm">
<h3>Combining Algorithm</h3>
- <p>The <code>policy-combining algorithm</code> for a
- <code>policy set</code> determines how child
- <code>policies</code> and <code>policy sets</code> are combined.
- </p> <p>The <code>rule-combining algorithm</code> for a
- <code>policy</code> determines how child <code>rules</code> are
+ <p>The policy-combining algorithm for a
+ policy set determines how child
+ policies and policy sets are combined.
+ </p> <p>The rule-combining algorithm for a
+ policy determines how child rules are
combined. </p> <p>The algorithms are described in the
- following subsections. The term <code>child</code> is used
- to mean the child <code>rules</code> in the <code>policy</code>
- when applying the <code>policy's rule-combining
- algorithm</code>, or the child <code>policies</code> and
- <code>policy sets</code> in the <code>policy set</code> when
- applying the <code>policy set's policy-combining
- algorithm</code>. </p>
+ following subsections. The term “child” is used
+ to mean the child rules in the policy
+ when applying the policy's rule-combining
+ algorithm, or the child policies and
+ policy sets in the policy set when
+ applying the policy set's policy-combining
+ algorithm. </p>
<section id="deny-overrides-combining-algorithm">
<h4>Deny-Overrides Combining Algorithm</h4>
<p>The Deny-Overrides Combining Algorithm is usable as a
policy-combining algorithm and as a rule-combining
algorithm. </p>
<p>The overall result of a
- <code>query</code> is evaluated as follows:</p>
+ query is evaluated as follows:</p>
<ul>
<li>if any
child evaluates to "deny", then the overall result is
@@ -427,7 +427,7 @@
<h4>Permit-Overrides Combining Algorithm</h4>
<p>The Permit-Overrides Combining Algorithm is usable as
a policy-combining algorithm and as a rule-combining
- algorithm. The overall result of a <code>query</code> is
+ algorithm. The overall result of a query is
evaluated as follows:</p>
<ul>
<li>if any child evaluates to
@@ -490,16 +490,16 @@
</section> <!-- combining-algorithm -->
<section id="effect">
<h3>Effect</h3>
- <p>The <code>effect</code> of a <code>rule</code> is one of the
+ <p>The effectx of a <code>rule</code> is one of the
following: </p>
<section id="permit">
<h4>Permit</h4>
- <p>This <code>effect</code> allows requested access without
+ <p>This effect allows requested access without
user interaction. </p>
</section> <!-- permit -->
<section id="deny">
<h4>Deny</h4>
- <p>This <code>effect</code> denies requested access without
+ <p>This effect denies requested access without
user interaction. </p>
</section> <!-- deny -->
<section id="prompt-x">
@@ -511,7 +511,7 @@
<p>The implementation MUST only
provide the
user the option to grant permission up to the maximum
- allowed by the <code>effect</code>, ie: </p>
+ allowed by the effect, ie: </p>
<ul>
<li>prompt-oneshot: "deny always", "deny this time",
"allow this time";</li>
@@ -542,20 +542,20 @@
</section> <!-- effect -->
<section id="query">
<h3>Query</h3>
- <p>A <code>query</code> represents a specific instance of a
+ <p>A query represents a specific instance of a
security policy being evaluated in order to make an
access control decision relating to an attempted
- operation by a web application. </p> <p>A <code>query</code>
- is characterised by the collection of <code>subject
- attributes</code> associated with the web application
- instance, the collection of <code>resource attributes</code>
+ operation by a web application. </p> <p>A query
+ is characterised by the collection of subject
+ attributes associated with the web application
+ instance, the collection of resource attributes
associated with the attempted operation, and the
- collection of <code>environment attributes</code> associated
+ collection of environment attributes associated
with the circumstances of the attempt. The
determinedness of each of these attributes is in
- accordance with the <code>execution phase</code> of the
- attempt. </p> <p>A <code>query</code> is evaluated against a
- <code>policy-set</code>, resulting in a <code>decision</code> in
+ accordance with the execution phase of the
+ attempt. </p> <p>A query is evaluated against a
+ <code>policy-set</code>, resulting in a decision in
accordance with the evaluation rules defined in this
specification. </p>
</section> <!-- query -->
Received on Monday, 21 June 2010 13:43:15 UTC