[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] IIC012: syntax-error or processing-error?
On Wed, 4 Dec 2002, Anne Anderson wrote: > The specification does not say that the PDP generates the actual > Response sent back to the PEP. > > The specification says that the Context Handler is responsible > for translating the input format into an internal representation > consistent with a Request, and for translating the Response > output into the format expected by the PEP. > > I think in this case the ContextHandler will be responsible for > generating the Response with Indeterminate and syntax-error as > the Value for the Status Code. Anne, PDP, ContextHandler, PEP, without interfaces, what does it really matter? You wouldn't even get this far with a bad policy. For instance, my PDP will be automatically configured out of the box with a default policy that is guarranteed and assured to be correct (i.e. always "Deny", always "Permit", etc, maybe according to some configuration file). The PDP will be configured with policies through its administration interface (not defined by XACML), and will not accept a badly formed policy, and the previous policy will remain in place. So, the "ContextHandler" (whateveer that is) will never answer the request to a badly formed policy, because you cannot get the badly formed policy into the system. It will always work against the currently configured policy, which is guarranteed to be correctly formed. We should NOT be stating to PDP vendors that to be compliant, they must evaluate badly formed policies. -Polar > Anne > > On 4 December, Polar Humenn writes: Re: [xacml] IIC012: syntax-error or processing-error? > > From: Polar Humenn <polar@syr.edu> > > To: Anne Anderson <Anne.Anderson@sun.com> > > Subject: Re: [xacml] IIC012: syntax-error or processing-error? > > Date: Wed, 4 Dec 2002 09:34:50 -0500 (EST) > > > > > > What I am worried about is the implication is that all PDPs must return an > > Indeterminate with a status code of syntax-error if asked to evaluate this > > policy to be compliant with the standard. > > > > You can't configure my PDP with a badly formed policy, so there is no hope > > in god's country of it even passing this conformance test! > > > > Maybe there should be two sets of conformance tests. One set for testing > > acceptance of well and badly formed policies, and the other set for the > > evaluation of well formed Request Contexts and Policies. > > > > -Polar > > > > > > On Wed, 4 Dec 2002, Anne Anderson wrote: > > > > > Well, we are required to return a Status Code, and we have a > > > Status Code called "syntax-error", which certainly does not imply > > > that the policy was evaluated. I think this exactly fits what > > > you want to convey. > > > > > > Anne > > > > > > On 4 December, Polar Humenn writes: Re: [xacml] IIC012: syntax-error or processing-error? > > > > From: Polar Humenn <polar@syr.edu> > > > > To: Anne Anderson <Anne.Anderson@sun.com> > > > > Subject: Re: [xacml] IIC012: syntax-error or processing-error? > > > > Date: Wed, 4 Dec 2002 09:06:35 -0500 (EST) > > > > > > > > > > > > This is the same problem as D024. This policy is not well formed. It is > > > > type incorrect. There should be no status code, because it should not even > > > > be hinted at that it should be evaluated. > > > > > > > > Cheers, > > > > -Polar > > > > > > > > On Wed, 4 Dec 2002, Anne Anderson wrote: > > > > > > > > > Conformance Test IIC012 is intended to test for the error case in > > > > > which a Condition FunctionId uses a function that does not return > > > > > a Boolean result. The <Condition is: > > > > > > > > > > <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract"> > > > > > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> > > > > > <SubjectAttributeDesignator > > > > > AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:age" > > > > > DataType="http://www.w3.org/2001/XMLSchema#integer"/> > > > > > </Apply> > > > > > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> > > > > > <EnvironmentAttributeDesignator > > > > > AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:bart-simpson-age" > > > > > DataType="http://www.w3.org/2001/XMLSchema#integer"/> > > > > > </Apply> > > > > > </Condition> > > > > > > > > > > Question: should the StatusCode Value from evaluating this Policy > > > > > be "urn:...:status:syntax-error" (since it is a type error), or > > > > > "urn:...:status:processing-error"? > > > > > > > > > > I'm leaning toward syntax-error. What do others think? > > > > > > > > > > Anne > > > > > -- > > > > > Anne H. Anderson Email: Anne.Anderson@Sun.COM > > > > > Sun Microsystems Laboratories > > > > > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > > > > > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > > > > > > > > > > > > > ---------------------------------------------------------------- > > > > > To subscribe or unsubscribe from this elist use the subscription > > > > > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > > > > > > > > > > > > > > > > -- > > > Anne H. Anderson Email: Anne.Anderson@Sun.COM > > > Sun Microsystems Laboratories > > > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > > > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > > > > > > > ---------------------------------------------------------------- > > > To subscribe or unsubscribe from this elist use the subscription > > > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > > > > > > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC