[xacml-comment] Questions about Section 7.10

[Satoshi Hada <SATOSHIH@jp.ibm.com>]

Hi,

I have questions about Section 7.10.

>> If the PDP cannot make a decision,
>> then an "Indeterminate" <Decision>
>> element contents SHALL be returned.
>> The PDP MAY return a <Decision> element
>> contents of "Indeterminate" with a status code of:
>> "urn:oasis:names:tc:xacml:1.0:missing-attribute",
>> signifying that more information is needed.

Okay.

>> In this case, the <Status> element MAY list
>> the names and data-types of any attributes of
>> the subjects and the resource that are needed
>> by the PDP to refine its decision.

Q1:
Doesn't this contradict another similar sentence below (in Q3)?

Q2:
Why is this sentence talking only about the subject and resource
attributes?
How about the action and environment attributes needed?

>> A PEP MAY
>> resubmit a refined request context in response
>> to a <Decision> element contents of "Indeterminate"
>> with a status code of
>> "urn:oasis:names:tc:xacml:1.0:missing-attribute",
>> by adding attribute values for the attribute names
>> that were listed in the previous response.

Okay.

>> When the PDP returns a <Decision> element contents
>> of "Indeterminate", with a status code of
>> "urn:oasis:names:tc:xacml:1.0:missing-attribute",
>> it MUST NOT list the names and data-types of any
>> attribute of the subject or the resource for which
>> values were supplied in the original request.

Q3:
Does this contradict the above sentence?
Or is this talking about the evaluation result for
the refined and resubmitted request context?

Q4:
Again, how about the action and environment attributes?

>> Note, this requirement forces the PDP to eventually
>> return an authorization decision of "Permit",
>> "Deny" or "Indeterminate" with some other status code,
>> in response to successively-refined requests.

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com