[xacml-comment] XACML 1.0 Committee Specification Comments

["Chopra, Dipak" <dipak.chopra@sap.com>]

Hello,

I reviewed the XACML 1.0 Committee Spec and here is the list of questions/comments.

1. Can PAP and PDP exchange Policy Set? Based on the Section 3.1 Data Flow Model, it seems like only Policy can be exchanged. If that is the case, how can PDP evaluate Policy Set as mentioned in Section 7.7 Policy Set Evaluation?
2. What is the commonality between different Policy elements in the same Policy Set? The requirement on line #354 seems to indicate that the merging of different Policy elements into Policy Set is governed by "a given action". Does it mean that the cardinality between Policy Set and Action is 1 to 1? It seems confusing as schema does not suggest that.
3. As Target can have multiple Resource and Action elements, not every Action is valid for each Resource. But the current schema allows to provide more non-existent access to resources.
4. What is the significance of an Obligation with FulfillOn="Deny"? Which use case needs this feature?
5. Line #2675, scope can be "Descendants" or "Children" as mentioned on lines #2907, 2908 in the case of multiple results.
6. Section 7.6 Policy Evaluation. The table should be Policy truth table.
7. Section 7.7 Policy Set Evaluation. The table should be Policy Set truth table. In this table, what is the meaning of "Effect" of Policy. As far as schema is concerned, Policy does not have this attribute. Only Rule has Effect element. Probably the right statement "At least one policy value has the calculated effect value".
8. Line #2907, 2908. It seems like authorization decision MAY include multiple results based on the structure of resource sub-tree. I think this mechanism provides more information than requested. PEP is requesting if this subject(s) has the specified access (actions(s)) on the specified resource and its child nodes. The response should be one result. Why would PEP want to get detailed result information for each sub-node under resource? PEP must know about the structure (if there is any) of the requested resource and accordingly request for authorization decision from PDP. Based on that response, PEP should be able to allow or disallow the request. On line #2968, it says only one Decision element, which is not right based on lines #2907, 2908.
9. There are two different types of resources. Functionality resource and data-instance resource. For example, ManagePO resource can be used to create/delete/modify an instance of PO. So ManagePO is a type of functionality type resource and instance of PO is a data-instance type resource. If we need to mandate that this action of this data-instance type resource can only be permitted by this functionality-type resource, how do we enforce that?

Thanks,
Dipak Chopra
Technology Architecture Group, 
SAP Labs, Palo Alto
650-320-3221