Re: [xacml] IIC012: syntax-error or processing-error?

[Seth Proctor <seth.proctor@sun.com>]

On Wed, Dec 04, 2002 at 10:37:53AM -0500, Polar Humenn wrote:
> "If an error occurs while evaluating the target of a policy, or a
> reference to a policy is considered invalid or the policy evaluation
> results in "Indeterminate", then the policy set SHALL evaluate to
> "Indeterminate"."

By my reading, this only covers some of the cases. I see three reasons for
an error in the quoted text:

1. An error occurs while evaluating the target of a policy
2. A reference to a policy is considered invalid
3. Policy evaluation returns Indeterminate

Reasons 1 and 3 refer to policies that have been successfully parsed by the
PDP. If the policy is invalid, then we [1] won't try target evaluation, and we
won't get an error on policy evaluation. That leaves reason 2, which I
believe only refers to a PolicyIdReference or a PolicySetIdReference. So,
my original comments about run-time retrieval still apply. If I have a
module in my PDP which lets me, for example, talk to an LDAP service to get
policies, and a request comes in that applies to one and only one policy in
the directory, but that policy is invalid, what should I do? The quoted text
does not say anything about this case. I may choose to say I couldn't find
any valid policies, so I return NA, or I could say I found an invalid policy,
and return SyntaxError. It may be that case 2 is supposed to apply to this
problem as well, in which case I think the text should be re-worked to make
that clearer.

In any case, I certainly agree with you that there are several scenarios where
it is up to the implementor what to do. I think you explained that clearly
in the your last email, so I won't repeat any of it here :)


seth


[1] Where "we" is Polar, me, and anyone else who is throwing out invalid
policies before evaluation