Re: [xacml] IIC012: syntax-error or processing-error?

[Seth Proctor <seth.proctor@sun.com>]

Let me suggest this: the result should be NotApplicable. This is an invalid
policy, so the PDP should be unable to parse it. Sine the PDP should reject
the policy, there will be no available policy to service the request. Hence,
the NotApplicable result.

This gets back to a similar thread we started a couple of weeks ago about when
to return messages about bad policies (ie, is the policy paresed on PDP
startup, on request processing, etc.). I think in general it's hard to
define what to do in some of these cases, because different implementators
will handle this differently. I want my PDP to reject the invalid policy,
therefore it will never be available to a request, and will result in
NotApplicable. But that's my choice. It's unclear to me whether the spec
allows a PDP to parse and use an invalid policy, which is essentially what's
required to get Indeterminate in this case.

There is, of course, another side to this. If a request comes into the PDP
that causes a policy to be fetched and parsed for the first time, and if that
policy is the only applicable policy, then an error in the policy could be
reported back to the PEP. Why? Because you might want to make it clear that
there was a policy for the request, but it was invalid. This might be useful
for diagnostic reasons, but I can't think of any other use for this
distinction. The spec doesn't really nail this point down, so it's hard to
know for sure what the tests should assume. It's also hard to define whether
or not this is the case that the tests are exercising.

Thoughts?


seth