RE: [xacml] IIC012: syntax-error or processing-error?

[Daniel Engovatov <dengovatov@crosslogix.com>]

A question: do we state that PDP is indeed processing XACML policy and
request directly?

In an implementation PDP may never even see the policy in question: errors
in the policy document are beeing taken care by PAP and transformed in some
other internal format, while the request context is processed by PEP and
context handler.  PDP may read and process the policy in an entirely
different format - thus it can not pass this conformance test.

D;



-----Original Message-----
From: Polar Humenn
To: Seth Proctor
Cc: Anne Anderson; XACML TC
Sent: 12/4/02 8:17 AM
Subject: Re: [xacml] IIC012: syntax-error or processing-error?

On Wed, 4 Dec 2002, Seth Proctor wrote:

>
> On Wed, Dec 04, 2002 at 10:37:53AM -0500, Polar Humenn wrote:
> > "If an error occurs while evaluating the target of a policy, or a
> > reference to a policy is considered invalid or the policy evaluation
> > results in "Indeterminate", then the policy set SHALL evaluate to
> > "Indeterminate"."
>
> By my reading, this only covers some of the cases. I see three reasons
for
> an error in the quoted text:
>
> 1. An error occurs while evaluating the target of a policy
> 2. A reference to a policy is considered invalid
> 3. Policy evaluation returns Indeterminate
>
> Reasons 1 and 3 refer to policies that have been successfully parsed
by the
> PDP. If the policy is invalid, then we [1] won't try target
evaluation, and we
> won't get an error on policy evaluation.

In some cases, target evaluation will be through indexing, in which you
must retrieve all the policies and the policies must have been parsed
beforehand, so you will know if the containing policy is really valid or
not due to its consitutents.

In the case where policy behind the reference is considered valid before
proven invalid, then you are effectively evaluating the targets of the
policy as you retreive them, in which case the "error"  will happen
during
evaluation of that particular target.

The next case is if the reference is not valid.

Cheers,
-Polar



> That leaves reason 2, which I believe only refers to a
PolicyIdReference
> or a PolicySetIdReference. So, my original comments about run-time
> retrieval still apply. If I have a module in my PDP which lets me, for
> example, talk to an LDAP service to get policies, and a request comes
in
> that applies to one and only one policy in the directory, but that
> policy is invalid, what should I do? The quoted text does not say
> anything about this case. I may choose to say I couldn't find any
valid
> policies, so I return NA, or I could say I found an invalid policy,
and
> return SyntaxError. It may be that case 2 is supposed to apply to this
> problem as well, in which case I think the text should be re-worked to
> make that clearer.
>
> In any case, I certainly agree with you that there are several
scenarios where
> it is up to the implementor what to do. I think you explained that
clearly
> in the your last email, so I won't repeat any of it here :)
>
>
> seth
>
>
> [1] Where "we" is Polar, me, and anyone else who is throwing out
invalid
> policies before evaluation
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>