Optimization and side effects

[Erik Rissanen <erik@axiomatics.com>]

All,

I have been considering optimization of XACML evaluation and one issue 
which the spec is unclear on is out of order evaluation.

I thought that the spec says somewhere that the PDP is allowed to do 
processing in any way as long as the results are identical to the spec, 
but I cannot find that anywhere now when I tried to look for it. I think 
we should insert this in the normative text of the specification.

I would also like to say something about side effects. None of the 
standard XACML functions have side effects, but it is conceivable that 
an XACML extension could have side effects. I would like to state in the 
normative text that any extensions and policies may not assume any 
particular order of execution with respect to side effects.

I propose that we add a new section 7.16 in the XACML 3.0 draft:

<<< Proposed text >>>

7.16. Optimization of evaluation

An implementation may perform evaluation in any manner or order as long 
as the resulting response context is the same as specified by this 
specification.

None of the standard XACML functions have side effects. XACML extensions 
MAY have side effects, but an implementation and policies may not make 
any assumptions about which side effects are executed and in what order 
such execution happens. It is RECOMMENDED that no XACML extension has 
side effects.

<<< End proposed text >>>

Alternatively we could forbid side effects altogether, but that is 
probably not necessary. And it might by hard to define what a side 
effect is.

Best regards,
Erik