RE: [xacml] Re: Section 7.2 Base policy (was A single tree?)

[Seth Proctor <Seth.Proctor@Sun.COM>]

[sorry I'm so slow in responding...I've had almost no time the last few
days to pay attention to email...]

Ok. Clearly there are some strong feelings about this "base policy"
topic. Let me add my take on the issue. I agree with Polar that the
specification should not provide any guidance about how policies are
retrieved, or whether there is even a "retrieval" step when a decision
request arrives at a PDP. However, I also agree with Tim and Anne that
it's important to make it clear what conditions are errors, and to
explain to implementors and users alike what they should expect a PDP to
do when a request arrives.

Are these beliefs in conflict? No, I don't think they are. At the start
of this thread, Anne made a proposal for new text for section 7.2. I
think it makes a lot of sense. It defines exactly one requirement: a PDP
can only evaluate a single policy against a given request. If the PDP is
incapable of deciding on a single policy for evaluation (though whatever
means it likes), than this is an error. Her text does not require a
"retrieval step", it does not mandate dynamic policy creation, and it
does not exclude implementations where the PDP is configured to work
with multiple policies (since the PDP is, in effect, using its custom
logic to create a logical root policy).

Speaking from experience, I can say two things with certainty:

  1. This text is useful for implementors. I spent a lot of time
     thinking about how my code would react to the arrival of a
     decision request. After re-reading the spec many times I
     built something that provides a lot of flexibility but still
     requires there to ultimately be a single root policy (phyiscally
     or logically) for any given request. Clear text spelling this out
     will help others to figure this out.

  2. I get a lot of questions from users about this issue. They want to
     understand exactly what the rules are around root policies. Anne's
     text makes it clear what's in scope, and what XACML doesn't define.
     I believe this will help considerably.

In short, I don't believe the proposed text for 7.2 defines how you find
a policy, how you construct a "base" policy, or how a PDP handles the
policies it can use. The proposed text only specifies that logically
evaluation is of the form one Request and one Policy[Set], and that
trying to do otherwise is an error. I belive this is what's already
expressed in the specification, but that the new language helps clarify
this point, and will be helpful for implementors and users alike.

As always, I welcome comments!


seth