Re: [xacml] [CR] New Section 7.x: Request context

[Anne Anderson <Anne.Anderson@Sun.com>]

On 8 October, Polar Humenn writes: Re: [xacml] [CR] New Section 7.x: Request context
 > >  A result of "Indeterminate" MUST NOT be returned unless the
 > > immediately enclosing function that references the "missing attribute"
 > > is actually executed.  For example, if two AttributeDesignators are
 > > supplied as arguments to "function:or", and the first
 > > AttributeDesignator returns a value of "true", then the result of the
 > > "function:or" is "true" even if the second AttributeDesignator, if
 > > evaluated, would have returned a result of "Indeterminate" due to
 > > "Missing attribute".
 > 
 > I don't know what you are trying to prevent here. What you are giving is
 > semantics of Indeterminate that are needed down at the function:or or
 > function:and specification and not at the PDP response level.
 > 
 > I would just go with the first three paragraphs.

I would be happy to eliminate everything after the first three
paragraphs up to the paragraph above; I agree, we do not need to
discuss caching and the interaction with the PIP.

But I really think this last paragraph is important.  I am trying
to provide a conceptual model for the interpretation of attribute
references.  What I am trying to prevent is having

1) One PDP return Indeterminate after pre-scanning the policy and
   finding there is one attribute somewhere in the policy that it
   will not be able to provide a value for.

2) Another PDP return Deny or Permit for the same policy and the
   same set of retrievable policies because the missing attribute
   occurs as the second argument to a function:or where the first
   argument evaluates to TRUE.

I want to make it clear that 2) is the intended model, and not 1).

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692