This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
An empty policy element should be removed upon normalization Justification - Need to define additional normalization step to enable interoperability. I initially raised this issue in WS-SX (Security Policy) [1], but it should be addressed in WS-Policy. The WS-SecurityPolicy spec states (at line 372) "An assertion with an empty nested policy does not intersect with the same assertion without nested policy." Since both mean exactly the same thing, this opens a possibility for policy interop issues. <assertion /> and <assertion><policy /></assertion> should mean the same thing. An engine should treat them as equal, and the normalization process should account for this. Target - WS-Policy Framework [2] Proposal - add new section to 4.3, "Nested Policy Normalization", with following as the text in the section: "Any nested policy element of the form <assertion><wsp:Policy /></ assertion> will be normalized by removing the policy element, producing <assertion /> as the normal form. An empty policy element SHOULD NOT have attributes but if it does, they will be ignored and the element removed." Test Case - The intersection of the following two policy expressions should match as true: <wsp:Policy xmlns:test="http://www.example.com/example" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" > <test:SimpleAssertion /> </wsp:Policy> <wsp:Policy xmlns:test="http://www.example.com/example" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" > <test:SimpleAssertion><wsp:Policy /></test:SimpleAssertion> </wsp:Policy>
From: Asir Vedamuthu <asirveda@microsoft.com> > An empty policy element should be > removed upon normalization If an assertion description allows a nested policy expression and the provider decides not to qualify this assertion with nested policy assertions, the assertion MUST include an empty Policy element [1]. > <assertion /> and <assertion><policy /></assertion> > should mean This is a theoretical edge case. I am not aware of a case where an assertion description prescribes a nested policy expression and does not require a provider/requestor to use the nested policy expression. [1] http://dev.w3.org/cvsweb/~checkout~/2006/ws/policy/ws-policy-framework.html?content-type=text/html;%20charset=utf-8#Policy_Assertion_Nesting
To summarize what you said, If an assertion is allowed to have nested policy, then it MUST have a wsp:Policy child, always. I think this should be stated more clearly. Thus the edge case should never occur, since the version without the wsp:Policy child would be in error. (see http://lists.w3.org/Archives/Public/public-ws-policy/2006Jul/0088 )
This can be closed with no action, since this case should not occur with correct implementations. Note that there is another bug report regarding general normalization clarity - 3613.
See Minutes http://www.w3.org/2006/08/23-ws-policy-minutes.html