RE: Indeterminate Policy Targets [WAS: [xacml] Posted WD-19 of core and WD-14 of SAML profile]

["Tyson, Paul H" <PTyson@bellhelicopter.textron.com>]

See below.

> -----Original Message-----
> From: Erik Rissanen [mailto:erik@axiomatics.com]
> Sent: Wednesday, April 20, 2011 09:00
> To: Tyson, Paul H
> Cc: xacml
> Subject: Re: Indeterminate Policy Targets [WAS: [xacml] Posted WD-19
of
> core and WD-14 of SAML profile]
> 
> Hi Paul,
> 
> See inline.
> 
> On 2011-04-20 15:19, Tyson, Paul H wrote:
> > I agree that conventional usage and interpretation of the spec could
> > support this view (i.e., that a policy with a target should not
> always
> > give the same result as a policy with the target matching conditions
> > distributed to rules).
> >
> > I'm saying that this is a logical inconsistency that we might want
to
> > consider fixing, rather than adding more special evaluation
> procedures.
> 
> I don't think this is a logical inconsistency. It has to be like this
> or
> otherwise many of the current combining algorithms could not be
> implemented. For instance the deny-unless permit also converts,
> intentionally, Indeterminates to Denys.

We can't have it two ways.  Either: 1) Target is syntactic sugar to
avoid repeating conditions in rules (and to allow indexing of policies
and rules); or 2) Target is a distinguished semantic component that
plays an independent role in policy evaluation.

As long as Target evaluates to "Match" or "No Match", it doesn't matter
how you look at it--you will get the same results.  But when it
evaluates to "Indeterminate", you must choose.  Your wd-19 proposal
(section 7.13) assumes the 2nd interpretation.  I think there are
advantages to choosing the 1st interpretation, and making the necessary
changes to the specification to ensure consistent evaluation of policies
according to this interpretation.

If the TC has already considered this issue and decided that Target is a
distinguished semantic component, then I will withdraw my objection.
But I don't think there's enough evidence in the specification to make a
definite interpretation.

As for the "permit-unless-deny" and "deny-unless-permit" algorithms,
they are dangerous syntactic sugar for policy writers who care not to
structure their policies to fall through to an explicit Permit or Deny
default rule.  Nevertheless, interpreting an indeterminate target as
"all rules are indeterminate" would actually fortify the intent of these
algorithms, which are to be used in cases where "NotApplicable" or
"Indeterminate" are never wanted.  Under section 7.13 of wd-19, these
algorithms would be overridden with an "Indeterminate" flavor of
result--something the policy writer definitely did not want.

> 
> "The target evaluates to Indeterminate, so we do not know whether this
> policy applies" is not the same thing as "all rules in this policy are
> broken and return Indeterminate". In the latter case the policy
> combining algorithm could override the rules and return something else
> than Indeterminate.

The first question only arises if Target is a distinguished semantic
component, which I am arguing against.  The latter case may be
occasionally surprising, but overall it is consistent.

Regards,
--Paul