[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] IIC012: syntax-error or processing-error?
Let me suggest this: the result should be NotApplicable. This is an invalid policy, so the PDP should be unable to parse it. Sine the PDP should reject the policy, there will be no available policy to service the request. Hence, the NotApplicable result. This gets back to a similar thread we started a couple of weeks ago about when to return messages about bad policies (ie, is the policy paresed on PDP startup, on request processing, etc.). I think in general it's hard to define what to do in some of these cases, because different implementators will handle this differently. I want my PDP to reject the invalid policy, therefore it will never be available to a request, and will result in NotApplicable. But that's my choice. It's unclear to me whether the spec allows a PDP to parse and use an invalid policy, which is essentially what's required to get Indeterminate in this case. There is, of course, another side to this. If a request comes into the PDP that causes a policy to be fetched and parsed for the first time, and if that policy is the only applicable policy, then an error in the policy could be reported back to the PEP. Why? Because you might want to make it clear that there was a policy for the request, but it was invalid. This might be useful for diagnostic reasons, but I can't think of any other use for this distinction. The spec doesn't really nail this point down, so it's hard to know for sure what the tests should assume. It's also hard to define whether or not this is the case that the tests are exercising. Thoughts? seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC