Subject: RE: [xacml] Minutes 7 March TC Meeting - action on ambiguity wrt set of returned Obligations, Advice
I am well aware of the fact that when the most common combining algorithms are used, different optimizing PDPs may produce different sets of Obligations from each other, given the same policies and inputs. If fact I was attempting to discuss exactly this issue in the context of reviewing Section 8 of the Healthcare Obligation s Profile.
In that context I made the following points. 1. This behavior has been understood and debated since XACML 1.0 it is not some kind of oversight. 2. A judicious choice of combining algorithms can force the evaluation of all policies containing Obligations and thus this is a question of whether to allow an optimization or not. 3. The Profile proposes a specific mechanism to force this evaluation, but since it alters PDP evaluation logic, it would be easier to get the Profile deployed if we could live without these new features. (The same goes for any PDP-based aspect of Obligation handling.)
An old argument of mine, which I did not make last week and which I cannot prove is universally true is that generally policies can be easily structured so that Obligations are associated with the logic for the decision on the Effect and will generally produce the correct Obligations. For example, suppose one class of users can access the Resource under normal circumstances and another class of users can only access it under special conditions in which case the access should be recorded in the audit trail. By arranging to have the normal case checked first, the result will be that the audit will only happen under the special conditions.
During the call I was objecting to the fact that I thought you were describing the specification as “ambiguous”. The Merriam-Webster Collegiate Dictionary (the nearest one to hand) defines “ambiguous” as: “capable of being understood in two or more possible senses”. As the quote you cite makes clear, the specification is not ambiguous, more than one result is possible. The Obligations returned can depend on the PDP implementation. From the PEP’s point of view it is indeterminate, but the specification is not ambiguous.
IMO, Ambiguity in a Standard is Always a bug and must be fixed. However, allowing policy evaluation to produce different outcomes wrt Obligations may or may not be a good idea. Historically the view of the TC has been to allow optimized policy evaluation by default and let the policy author override it if he or she wishes to.