In May, Cyril Dangerville posted to the xacml-comment list this message:
This proposal is in response to his comment #2, concerning the <PolicyIdentifierList>.
he also identified potential issues which text relating to determining if a given policy is “NotApplicable” during policy evaluation. I am not addressing these comments at this time.
The two original usecases for <PolicyIdentifierList> are 1) the creation of a signed receipt for a decision (including Effect, Obligations, Policies and Attributes and 2) the idea of extracting the applicable policies and using them in some other context. Both of these cases would seem to only apply to decisions which returned “Permit”.
Another possible usecase would be for troubleshooting or perhaps simply proving to the PDP administrators that a unexpected result had been received. In this case, “Deny” and “Indeterminate” results would also (or primarily) be of interest.
Therefore, I can see no harm if the list contains excess Policies which were in force, but did not actually contribute to the decision. Although it did not make it into the text, at the time I originally proposed this feature, I asserted that implementations could comply by including the ids of all policies currently in force.
Based on these considerations and the fact that existing implementations have used distinct algorithms, I propose the following change to section 5.48 of the core spec at line 2921 in the .doc.
If the ReturnPolicyIdList attribute in the <Request> is true (see section 5.42), a PDP that implements this optional feature MUST return a list of all policies which were found to be fully applicable. That is, all policies where both the <Target> matched and the <Condition> evaluated to true, whether or not the <Effect> was the same or different from the <Decision>.
If the ReturnPolicyIdList attribute in the <Request> is true (see section 5.42), a PDP that implements this optional feature MUST return a list which includes the identifiers of all policies which were found to be fully applicable, whether or not the <Effect> was the same or different from the <Decision>. The list MAY include the identifiers of other polices which are currently in force, as long as no policies required for the decision are omitted. A PDP MAY satisfy this requirement by including all policies currently in force, or by including all policies which were evaluated in making the decision, or by including all policies which did not evaluated to “NotApplicable”, or by any other algorithm which does not omit any policies which contributed to the decision. However, a decision which returns “NotApplicable” MUST return an empty list.