RE: [xacml] IIC012: syntax-error or processing-error?

[Polar Humenn <polar@syr.edu>]

On Wed, 4 Dec 2002, Daniel Engovatov wrote:

>
> A question: do we state that PDP is indeed processing XACML policy and
> request directly?
>
> In an implementation PDP may never even see the policy in question: errors
> in the policy document are beeing taken care by PAP and transformed in some
> other internal format, while the request context is processed by PEP and
> context handler.  PDP may read and process the policy in an entirely
> different format - thus it can not pass this conformance test.

I agree.

-Polar

>
> D;
>
>
>
> -----Original Message-----
> From: Polar Humenn
> To: Seth Proctor
> Cc: Anne Anderson; XACML TC
> Sent: 12/4/02 8:17 AM
> Subject: Re: [xacml] IIC012: syntax-error or processing-error?
>
> On Wed, 4 Dec 2002, Seth Proctor wrote:
>
> >
> > On Wed, Dec 04, 2002 at 10:37:53AM -0500, Polar Humenn wrote:
> > > "If an error occurs while evaluating the target of a policy, or a
> > > reference to a policy is considered invalid or the policy evaluation
> > > results in "Indeterminate", then the policy set SHALL evaluate to
> > > "Indeterminate"."
> >
> > By my reading, this only covers some of the cases. I see three reasons
> for
> > an error in the quoted text:
> >
> > 1. An error occurs while evaluating the target of a policy
> > 2. A reference to a policy is considered invalid
> > 3. Policy evaluation returns Indeterminate
> >
> > Reasons 1 and 3 refer to policies that have been successfully parsed
> by the
> > PDP. If the policy is invalid, then we [1] won't try target
> evaluation, and we
> > won't get an error on policy evaluation.
>
> In some cases, target evaluation will be through indexing, in which you
> must retrieve all the policies and the policies must have been parsed
> beforehand, so you will know if the containing policy is really valid or
> not due to its consitutents.
>
> In the case where policy behind the reference is considered valid before
> proven invalid, then you are effectively evaluating the targets of the
> policy as you retreive them, in which case the "error"  will happen
> during
> evaluation of that particular target.
>
> The next case is if the reference is not valid.
>
> Cheers,
> -Polar
>
>
>
> > That leaves reason 2, which I believe only refers to a
> PolicyIdReference
> > or a PolicySetIdReference. So, my original comments about run-time
> > retrieval still apply. If I have a module in my PDP which lets me, for
> > example, talk to an LDAP service to get policies, and a request comes
> in
> > that applies to one and only one policy in the directory, but that
> > policy is invalid, what should I do? The quoted text does not say
> > anything about this case. I may choose to say I couldn't find any
> valid
> > policies, so I return NA, or I could say I found an invalid policy,
> and
> > return SyntaxError. It may be that case 2 is supposed to apply to this
> > problem as well, in which case I think the text should be re-worked to
> > make that clearer.
> >
> > In any case, I certainly agree with you that there are several
> scenarios where
> > it is up to the implementor what to do. I think you explained that
> clearly
> > in the your last email, so I won't repeat any of it here :)
> >
> >
> > seth
> >
> >
> > [1] Where "we" is Polar, me, and anyone else who is throwing out
> invalid
> > policies before evaluation
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
> >
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>