OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [xacml] Proposed semantics for operations involving INDETERMI NATE


Title: RE: [xacml] Proposed semantics for operations involving INDETERMI NATE

It is the job of the PDP to deliver Access Decisions, period, and it is
the job of XACML to specify that access decision. It is not the job of the
PDP to evalautate the consistency, availability, or correctness of that
policy.

[DE] Inconsistent, not-available or incorrect policy CANNOT be evaluated, so yes,
it is the job of PDP to assure it is consistent, available and correct.

> Errors with the PDP should be limited to operational ones, such as
> communication/invocation problems with the PDP and/or unparsability of the
> output (from bad PDPs).

[DE] Non-available attribute, or a custom function in condition that can not
be evaluated is an operational error.

It is an important distinction - whether the decision is not applicable or
could not be reached due to some operational error - any real life system will
behave differently in this two cases.

What is important: for the same policy, with the same data available - decision should
be deterministic, not dependent on the rule order.  And that should be part of the policy
model reflected in the standard - we are writing a portable policy lanaguage, not just an XML
schema, and I believe this has to be addressed clearly.  It would not be a good standard if
two PDP deliver different result for the same policy based on interpretation of what is an
operational error, and what order rules have to be evaluated.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC