OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] IIC012: syntax-error or processing-error?

On Wed, 4 Dec 2002, Seth Proctor wrote:

>
> On Wed, Dec 04, 2002 at 10:37:53AM -0500, Polar Humenn wrote:
> > "If an error occurs while evaluating the target of a policy, or a
> > reference to a policy is considered invalid or the policy evaluation
> > results in "Indeterminate", then the policy set SHALL evaluate to
> > "Indeterminate"."
>
> By my reading, this only covers some of the cases. I see three reasons for
> an error in the quoted text:
>
> 1. An error occurs while evaluating the target of a policy
> 2. A reference to a policy is considered invalid
> 3. Policy evaluation returns Indeterminate
>
> Reasons 1 and 3 refer to policies that have been successfully parsed by the
> PDP. If the policy is invalid, then we [1] won't try target evaluation, and we
> won't get an error on policy evaluation.

In some cases, target evaluation will be through indexing, in which you
must retrieve all the policies and the policies must have been parsed
beforehand, so you will know if the containing policy is really valid or
not due to its consitutents.

In the case where policy behind the reference is considered valid before
proven invalid, then you are effectively evaluating the targets of the
policy as you retreive them, in which case the "error"  will happen during
evaluation of that particular target.

The next case is if the reference is not valid.

Cheers,
-Polar



> That leaves reason 2, which I believe only refers to a PolicyIdReference
> or a PolicySetIdReference. So, my original comments about run-time
> retrieval still apply. If I have a module in my PDP which lets me, for
> example, talk to an LDAP service to get policies, and a request comes in
> that applies to one and only one policy in the directory, but that
> policy is invalid, what should I do? The quoted text does not say
> anything about this case. I may choose to say I couldn't find any valid
> policies, so I return NA, or I could say I found an invalid policy, and
> return SyntaxError. It may be that case 2 is supposed to apply to this
> problem as well, in which case I think the text should be re-worked to
> make that clearer.
>
> In any case, I certainly agree with you that there are several scenarios where
> it is up to the implementor what to do. I think you explained that clearly
> in the your last email, so I won't repeat any of it here :)
>
>
> seth
>
>
> [1] Where "we" is Polar, me, and anyone else who is throwing out invalid
> policies before evaluation
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC