Issue 73, where does reduction start?

[Erik Rissanen <erik@axiomatics.com>]

All,

Issue 73 is about at which level in a nested policy set does delegation 
reduction start?

As it is specified currently, reduction is done as a graph search where 
the nodes of the graph are the policies in a policy set. In other words, 
we could say that "reduction starts at the siblings of the policy being 
reduced" to use the wording of issue 73.

Alternatively it has been suggested that reduction should start at the 
top level in the PDP, leading to recursive invocations of the PDP.

The reduction algorithm was designed as it is currently for two reasons:

1) The current mode gives an algorithm which is guaranteed to terminate 
(unless the 'access-permitted' function is invoked in the policies) and 
is much easier to analyze and comprehend than the "top level PDP" 
alternative.

2) There are security issues related to policy sets with nested issuers 
in case of a "top level PDP" approach. In effect the issuer of a policy 
set with nested <PolicyIssuer> elements has authenticated the attributes 
in all contained <PolicyIssuer> elements. Invoking delegation at the top 
level means that the reduction process of a policy may enter other 
policy sets thus introducing a trust relation to the issuer of the other 
policy and his authentication of policy issuers.

I propose that issue 73 is closed with no action since I think the 
current reduction algorithm is the correct solution.

Best regards,
Erik