OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [xacml] error conditions


I think that there is some inconsistency with error condition responses of the PDP as communicated to the PEP. 

In some cases a decision of INDETERMINATE is returned without an accompanying status code (pdf:4502, 4605, 4664, 4799), while in others a status code is required (pdf:4715, 4755). 

I think that it is important that error conditions REQUIRE a status code in all circumstances so that the PEP is aware that the decision is a result of an error and not insufficient inputs. In practical terms this would allow the PEP to decide if retrying the request has merit, as well as provide important operational information. This requires that status codes be required in all cases (at least that seems like it would be the case). 

Under that assumption, here are the changes I think are necessary to accomplish this:


Add the text from line pdf:4176, "...shall evaluate to "Indeterminate", with the appropriate error status,"  to lines pdf:4502, 4605, 4664 and 4799s.

Change pdf:2696 (and schema) to read: "<xs:element ref="xacml-context:Status" minOccurs="1"/>"


Change pdf:2696 (and schema) to read: "<xs:element ref="xacml-context:Status" minOccurs="0"/>"

Change pdf:2709 to read: "<Status> [Required]"

Change pdf:2760 to read: "<xs:element ref="xacml-context:StatusCode" minOccurs="1"/>"

Change pdf:2760 to read: "xacml:Context:Status M"
Change pdf:2760 to read: "xacml:Context:StatusCode M"

I would like to propose that this be adopted by the spec. If the group doesn't agree then lines pdf:4715 and 4755 need to be updated to reflect this.





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC