OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] IIC012: syntax-error or processing-error?

On Wed, 4 Dec 2002, bill parducci wrote:

> Polar Humenn wrote:
> > Any output is acceptable.
> not to me. i want to know if something went wrong.

Nothing went wrong. The answer is up to the implementation and
configuration, and administration procedures. Without defined interfaces
for this stuff, you'll never be able to lock this down.

> > I would admit that may be logical, but say that the offending piece is in
> > buried deep a poriton of the policy decsription that may not be evaluated according to
> > some models, and may be evaluated according to other models, against the
> > same inputs? Then what will you say the "conforming" result MUST be?
> one of TWO outcomes.
> let me try explaining it this way:
> IF a policy is deemed to be relevant to the decision, and that policy
> cannot be digested for *whatever* reason at the time of decision, the
> result is INDETERMINATE/[notOKstatus].

Let's forget about the "precompiled" scenario. That is covered and works
as it should.

Now for conformance tests on bad policies.
It's the degrees invalidity that worry me in this case.

Say you have a policy with a valid target expression and a very
complicated condition with a miriad of nested And's and OR's. For one
input, one system may in fact evaluate all consituents of all And and OR
expressions finding one of them type incorrect, while another system with
a different, perhaps "lazy" evaluation model, will not "evaluate"  the
offending constiuent, and therefore never know about it. And then there
are systems that will do a continuum of both.

> now, in a pre-compiled scenario any policy that is not digestible will
> be rejected upon attempting to enter the system and will therefore NEVER
> be considered in the scope of the decision because it "doesn't exist" at
> the time of decision; the policy doesn't affect the decision and
> conformance is demonstrated by the rejection.

I don't mind having *SEPARATE* conformance tests of policies standing on
their own saying whether they are valid policies both in syntax and type

Just don't ask me to "evaluate" bad ones against a context.

> therefore, if there was a use case/conformance test whereby there is a
> malformed policy, those systems that attempt to call upon this policy in
> real time must return INDETERMINATE and those that reject upon entrance
> into the system will act as if it never existed since, by definition, it
> was never entered into the system to be considered.

That's easy to say. But there are no interfaces for "entry" into the
system, and therefore you cannot enforce any of this.

> conformance can therefore be tested by submitting a malformed policy to
> each system and having one of *two* acceptable outcomes: (1) policy is
> rejected upon attempted entry to system; (2) subsequent requests within
> scope of said policy are responded to with a decision of
> INDETERMINATE/[notOKstatus].

As I said before, different systems with different evaluation models will
not always get your Indeterminate result, and therefore conformance
testing will force somebody to a particularly constraining evalation model
on correctly formed policies just to handle the bad ones? Blech!

> this addresses my 'something is wrong' issue by either having the policy
> compilation process complain (which, one would think would be rather
> obvious to the operator) or having the decision reflect that something
> went haywire when the system tried to make a decision.

I think we have it already. The combining algorithms tell what to do when
you are compiling a decision and a policy is invalid either by entry into
the system, or by dynamic evaluation.

However, if you take a stand alone bad policy and want a PDP to evaluate
it on its own. There can be no conformance test for that.


> maybe i am not grasping the nuances, but this seems like it would work.
> b
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC