Re: [xacml] 7.7 Obligations

[Polar Humenn <polar@syr.edu>]

On Mon, 7 Oct 2002, bill parducci wrote:

> this is in reference to the pEp (which doesn't do 'extra fancy rule and
> policy recombination algorithm' stuff).
>
> the idea is that *regardless* of what the pDp returns to the pEp in
> terms of an azn decision, the pEp DENIES access to the Resource by the
> Subject if the associated Obligation is not understandable.

It appears to me that this document merely describes a language, such that
when a formula of the language is well formed, when evaluated against a
specific valid input, yields a consistent result.

What the PEP does with that result is up to the PEP. This advice should be
non-normative. The normative part should only outline the specific manner
in which obligations are collected in a particular way, according to the
language, and delivered in the result.

Cheers,
-Polar


>
> b
>
> Daniel Engovatov wrote:
> >
> >
> >
> >>The PDP just collects obligations; it is not responsible for
> >>enforcing them.  The PEP is responsible for enforcing
> >>obligations.  If the PEP does not understand an obligation, it
> >>should deny access.
> >
> >
> > DENY?  What if it is using some extra fancy rule and policy recombination
> > algorithm that never returns denies - only PERMIT and NONAPPLICABLE.
> >
> > Maybe it should be worded such that it is up PEP MUST recognize this, but
> > what to do is up to an implemention?
> >
> > Daniel
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>