[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] IIC012: syntax-error or processing-error?
A question: do we state that PDP is indeed processing XACML policy and request directly? In an implementation PDP may never even see the policy in question: errors in the policy document are beeing taken care by PAP and transformed in some other internal format, while the request context is processed by PEP and context handler. PDP may read and process the policy in an entirely different format - thus it can not pass this conformance test. D; -----Original Message----- From: Polar Humenn To: Seth Proctor Cc: Anne Anderson; XACML TC Sent: 12/4/02 8:17 AM Subject: Re: [xacml] IIC012: syntax-error or processing-error? On Wed, 4 Dec 2002, Seth Proctor wrote: > > On Wed, Dec 04, 2002 at 10:37:53AM -0500, Polar Humenn wrote: > > "If an error occurs while evaluating the target of a policy, or a > > reference to a policy is considered invalid or the policy evaluation > > results in "Indeterminate", then the policy set SHALL evaluate to > > "Indeterminate"." > > By my reading, this only covers some of the cases. I see three reasons for > an error in the quoted text: > > 1. An error occurs while evaluating the target of a policy > 2. A reference to a policy is considered invalid > 3. Policy evaluation returns Indeterminate > > Reasons 1 and 3 refer to policies that have been successfully parsed by the > PDP. If the policy is invalid, then we [1] won't try target evaluation, and we > won't get an error on policy evaluation. In some cases, target evaluation will be through indexing, in which you must retrieve all the policies and the policies must have been parsed beforehand, so you will know if the containing policy is really valid or not due to its consitutents. In the case where policy behind the reference is considered valid before proven invalid, then you are effectively evaluating the targets of the policy as you retreive them, in which case the "error" will happen during evaluation of that particular target. The next case is if the reference is not valid. Cheers, -Polar > That leaves reason 2, which I believe only refers to a PolicyIdReference > or a PolicySetIdReference. So, my original comments about run-time > retrieval still apply. If I have a module in my PDP which lets me, for > example, talk to an LDAP service to get policies, and a request comes in > that applies to one and only one policy in the directory, but that > policy is invalid, what should I do? The quoted text does not say > anything about this case. I may choose to say I couldn't find any valid > policies, so I return NA, or I could say I found an invalid policy, and > return SyntaxError. It may be that case 2 is supposed to apply to this > problem as well, in which case I think the text should be re-worked to > make that clearer. > > In any case, I certainly agree with you that there are several scenarios where > it is up to the implementor what to do. I think you explained that clearly > in the your last email, so I won't repeat any of it here :) > > > seth > > > [1] Where "we" is Polar, me, and anyone else who is throwing out invalid > policies before evaluation > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> > ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC