RE: [xacml] PolicySetIdReference Questions

[Hal Lockhart <hal.lockhart@oracle.com>]

I agree that the spec is far from clear. Here is what is intended.

Section 5.1 and 5.14 say "It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier." This should say "It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier and the same version."

The intent of sections 5.10, 5.11 and 5.12 is that versions consist of a series of decimal numbers separated by dots. Versions are compared by starting with the leftmost number and comparing each in turn until there is a different value or no value present for one of them. If the value is different, the version with the larger number is deemed "higher" of "later" or "newer". A missing value is taken to be the lowest value, thus the longer one is higher. For example, the following versions are in order from low to high, oldest to newest.

1.223.7
2.0.4.35
2.0.5
2.0.5.27
2.1

Section 5.13 defines a version wildcard syntax which I think is pretty clear.

Given that, here are my answers to your questions.


>In section 5.10 Element <PolicySetIdReference> of the xacml-3.0-core-spec-en;  starting at 
>line 1973 "In the case that more than one matching version can be obtained, then the most 
>recent one SHOULD be used."

>In the case where there are two or more PolicySets that have the same PolicySetId value and 
>the same version value:

This case is not supposed to occur. If the Id is the same the version must differ.

>1.) Can it be guaranteed that the "most recent" will always be selected?
>2.) How is the "most recent" selected (e.g. by date-time, largest Version value, etc)?
>3.) Does "SHOULD" (RFC2119) mean that the PEP cannot assume that the "most recent" will be 
>selected?
>4.) Can the PEP assume that the PDP will at least select consistently, changing its selection when a version of the Policy/PolicySet is added or removed?

>In the case where there are two or more PolicySets that have the same PolicySetId value but 
>different version values how would these questions (1 - 4 above) be answered?

>1.) Can it be guaranteed that the "most recent" will always be selected?

Yes in the cases where the spec says "most recent". By using the <PolicySetIdReference> XML Attributes: Version, EarliestVersion, and LatestVersion it is also possible to explicitly reference a Policy version which is not the latest.

>2.) How is the "most recent" selected (e.g. by date-time, largest Version value, etc)?

Only by comparison of version numbers as described above.


>3.) Does "SHOULD" (RFC2119) mean that the PEP cannot assume that the "most recent" will be 
>selected?

IMO, this SHOULD is a mistake or perhaps an ill considered compromise. One of the oldest principles of XACML is that give the same Policies and the same decision request, all conformant PDPs will produce the same Effect. (Not always the same Obligations and Advice.)

I would be in favor of changing this SHOULD to a MUST in the future.

>4.) Can the PEP assume that the PDP will at least select consistently, changing its selection when a version of the Policy/PolicySet is added or removed?

That is exactly the intention. We wanted to people to be able to choose any of "a specific policy version", "the newest policy version available" or "the latest version 3 policy, but not version 4 or higher" among other usecases.

Hal