Section 4.1 Extended Authorization Query Minor point: Is there added value if we provide a field for the requestor to indicate if it can interpret obligations (and maybe even what type) ... I don't see a benefit that is large enough to justify the addedd complexity and think it should probably be left as is. 4.3 Obligations This description is more general than I had in mind. I was thinking of defining the obligations to be specific to the action, subject and object specified in the request. 5.3 Element So you propose to define a new authorization decision statement for a total of possibly three: AuthorizationDecisionStatement SimpleAuthorizaitonDecisionStatement ObligatedAuthorizationDecisionStatement and the new ObligatedAuthorizationDecisionStatement is a AuthorizationDecisionStatement with at least one ObligationStatement embedded. In general I like the added flexibility you give the ObligationStatement by building it on the semantic contents as used in Ponder. I always assumed that most of the elements that you explicitly specify are implicitly defined, e.g. obligation subject being always the PEP. While I understand your example with the requestor being obliged to delete the file I don't see this as a use-case and believe there are trust relationship problems if the entity fulfilling the obligation is not the PEP In summary: I would've loved to use the XACML format here for several reasons: - we always said that we are working towards the SAML/XACML integration, the current XACML over SAML profile would allow us to move full XACML responses which would inlcude XACML style obligations for which we already have implementations (i.e. we explicitly said that we would like to have the same semantic content as SAML2 at the end of the document, does this include the obligations specification that SAML2 uses via XACML over SAML?) - Several people in the grid community have either expressed plans or have started projects that utilize XACML, with this specification we would have to convert between the XACML and this custom format - I don't see the need (subject,object, action, exception) obligations statement. From our previous discussion I thought that you had backed away from XACML obligations due to the believed patent problem. I had researched this and was told by several parties that this patent would apply to all languages using the concept of obligations and that people didn't see a problem with using obligations, especially as IBM contributed the obligation defition to OASIS/XACML.