OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-dev] Some Doubts On Indeterminate Result With 3.0.


Hi Asela,

You are correct when you doubt whether the PDP would want to send these
extended Indeterminate values back to the PEP. These values are only for
internal PDP processing of some of the combining algorithms, which is mentioned
in the spec, but could possibly be more explicit to avoid developers being
uncertain about whether they are returned to the PEP, which they are not.

In the current version of the spec:
http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-en.pdf

the extended Indeterminate is discussed in section 7.10, which explicitly says:
"3503 The final decision returned by a PDP cannot be an extended Indeterminate. Any such decision at the top level policy or policy set is returned as a plain Indeterminate in the response from the PDP."
It is also discussed in section C.1:
"5392 ... For these algorithms, the PDP MUST keep track of the extended set of “Indeterminate” values during rule and policy combining.

5394 The output of a combining algorithm which does not track the extended set of “Indeterminate” values MUST be treated as “Indeterminate{DP}” for the value “Indeterminate” by a combining algorithm which tracks the extended set of “Indeterminate” values.

5397 A combining algorithm which does not track the extended set of “Indeterminate” values MUST treat the output of a combining algorithm which tracks the extended set of “Indeterminate” values as an  “Indeterminate” for any of the possible values of the extended set of “Indeterminate”."
I can see where the above text would possibly leave one wondering whether the Extended values
are returned or not.

However, as it says in section 7.10, they are not returned, so hopefully that will address your issue.

    Thanks,
    Rich



On 7/18/2012 3:19 AM, Asela Pathberiya wrote:
Hi devs,

I have little doubt on  "Indeterminate" result which send to the PEP according the  XACML 3.0 Core.   According to the XACML 3.0 combining algorithm, It has been introduced, Som indeterminate values  which would be  "Indeterminate{D}", "Indeterminate{P}" and "Indeterminate{DP}".  My doubt is that whether PDP want to send one of these three results to PEP when it is indeterminate. But according to the schema, it is not mentioned about these indeterminate results in  "DecisionType".  So what would be the correct way? Appreciate your help on this..

Thanks in Advance.
Asela.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]