[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] IIC012: syntax-error or processing-error?
On Wed, 4 Dec 2002, Daniel Engovatov wrote: > > A question: do we state that PDP is indeed processing XACML policy and > request directly? > > In an implementation PDP may never even see the policy in question: errors > in the policy document are beeing taken care by PAP and transformed in some > other internal format, while the request context is processed by PEP and > context handler. PDP may read and process the policy in an entirely > different format - thus it can not pass this conformance test. I agree. -Polar > > D; > > > > -----Original Message----- > From: Polar Humenn > To: Seth Proctor > Cc: Anne Anderson; XACML TC > Sent: 12/4/02 8:17 AM > Subject: Re: [xacml] IIC012: syntax-error or processing-error? > > On Wed, 4 Dec 2002, Seth Proctor wrote: > > > > > On Wed, Dec 04, 2002 at 10:37:53AM -0500, Polar Humenn wrote: > > > "If an error occurs while evaluating the target of a policy, or a > > > reference to a policy is considered invalid or the policy evaluation > > > results in "Indeterminate", then the policy set SHALL evaluate to > > > "Indeterminate"." > > > > By my reading, this only covers some of the cases. I see three reasons > for > > an error in the quoted text: > > > > 1. An error occurs while evaluating the target of a policy > > 2. A reference to a policy is considered invalid > > 3. Policy evaluation returns Indeterminate > > > > Reasons 1 and 3 refer to policies that have been successfully parsed > by the > > PDP. If the policy is invalid, then we [1] won't try target > evaluation, and we > > won't get an error on policy evaluation. > > In some cases, target evaluation will be through indexing, in which you > must retrieve all the policies and the policies must have been parsed > beforehand, so you will know if the containing policy is really valid or > not due to its consitutents. > > In the case where policy behind the reference is considered valid before > proven invalid, then you are effectively evaluating the targets of the > policy as you retreive them, in which case the "error" will happen > during > evaluation of that particular target. > > The next case is if the reference is not valid. > > Cheers, > -Polar > > > > > That leaves reason 2, which I believe only refers to a > PolicyIdReference > > or a PolicySetIdReference. So, my original comments about run-time > > retrieval still apply. If I have a module in my PDP which lets me, for > > example, talk to an LDAP service to get policies, and a request comes > in > > that applies to one and only one policy in the directory, but that > > policy is invalid, what should I do? The quoted text does not say > > anything about this case. I may choose to say I couldn't find any > valid > > policies, so I return NA, or I could say I found an invalid policy, > and > > return SyntaxError. It may be that case 2 is supposed to apply to this > > problem as well, in which case I think the text should be re-worked to > > make that clearer. > > > > In any case, I certainly agree with you that there are several > scenarios where > > it is up to the implementor what to do. I think you explained that > clearly > > in the your last email, so I won't repeat any of it here :) > > > > > > seth > > > > > > [1] Where "we" is Polar, me, and anyone else who is throwing out > invalid > > policies before evaluation > > > > ---------------------------------------------------------------- > > To subscribe or unsubscribe from this elist use the subscription > > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC