Subject: Specification of extended indeterminate in combining algorithms isincomplete
The 10/8/2010 committee specification (using urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 namespace) appears to be incomplete with respect to extended indeterminate states in the combining algorithms. The new combining algorithms are defined entirely in terms of extended indeterminate, but there are cases where extended indeterminate values are not available:
- Algorithms present since the XACML 1.x, whether or not they are marked for deprecation, are only specified in terms of indeterminate
- Indeterminate results from evaluating a policy target
There are no indications about how to handle unextended indeterminate values in the new algorithms or how an extended indeterminate should be propagated through pre-3.0 algorithms.
For the first-applicable combining algorithms, it seems reasonable to propagate the variant of indeterminate as the result of the algorithm on lines 5646 and 5685 for the rule and policy combining algorithms, respectively. The others are unclear to me, though specification about how to handle unextendend indeterminate results in the new algorithms would also solve the problem in a seemingly simpler manner.
This issue makes it unclear about what should be proper conforming behavior.
Another minor omission is lack of explicit indication that obligations and advice should be handled according to section 7.16 after the pseudo-code for the first-applicable rule combining algorithm, as appears for all other rule and policy combining algorithms.
Sr. Software Engineer
SSG Software Pathfinding Initiative