Re: [xacml] 7.7 Obligations

[bill parducci <bill.parducci@overxeer.com>]

i concur.

b

Michiharu Kudoh wrote:
> I think XACML specification should basically focus on the functionality on
> the PDP but it does not necessarily mean that it MUST NOT say anything
> about entries other than PDP in the normative sections. For example,
> Section 7.1 describes desirable behavior in "PEP", for example in line
> 2636-2664. The following are excerpt:
> 
> - If the "Permit" value is returned, then the PEP MAY permit access to the
> resource.
> - If the "Deny" value is returned, then the PEP SHALL deny access to the
> resource.
> - If the "Indeterminate" value is returned, it means that the PDP could not
> make a decision. The PDP MAY return a decision value of "Indeterminate"
> with a status code of  "... missing-attribute", etc.
> - If the "NotApplicable" is returned, it means that the PDP's policy is not
> applicable to the request, implying that the PEP should send its request to
> another PDP.
> 
> The following are the text regarding obligations and I want to add in this
> section:
> 
> - If the "Permit with obligations(s)" value is returned, then the PEP MAY
> permit access to the resource and PEP is responsible for fulfilling the
> obligation(s). If there is an obligation that is not understandable by the
> PEP, then the PEP SHALL deny access to the resource.
> - If the "Deny with obligations(s)" value is returned, then the PEP SHALL
> deny access to the resource and PEP is still responsible for fulfilling the
> obligation(s). If there is an obligation that is not understandable by the
> PEP, then the PEP SHALL raise an error. How and which error should be
> raised is outside the scope of XACML.
> 
> Michiharu Kudo
> 
> IBM Tokyo Research Laboratory, Internet Technology
> Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428