Open issue 66

[Erik Rissanen <erik@axiomatics.com>]

All,

I propose that issue 66, "Missing attributes may be underspecified", to 
be closed without action. The issue has been up there a long time with 
no proposals for a solution. In addition to that, I believe it is 
technically impossible to provide a solution. The reason someone gets a 
not-applicable from the PEP is because "there is no policy which 
applies". In general there is no way to describe in the form of "missing 
attributes" what the PEP needs to provide for the policy to apply. 
Policies can be much too complex for this. In particular, a policy could 
be NotApplicable because an attribute is present, for example. Or it 
might require that three particular integer attributes form a 
pythagorean tripple. How do you express that as "missing attributes"?!

And we demonstrated in the RSA interop that obligations can be used to 
handle simple use cases where some attributes can be expected to be 
missing. An obligation can be used to mark the part of the policy which 
required an attribute, and the obligation can then be returned by the 
PDP if the attribute is missing.

Best regards,
Erik