[xacml] Review of Appendix C. Combining Algorithms section

[Carlisle Adams <carlisle.adams@entrust.com>]

Title: Review of Appendix C. Combining Algorithms section

Hi,

More questions.

1. Section C.3, should this be called "First Applicable" rather than "First Applicable Rule Combining Algorithm"?  This would be more consistent with both C.1 and C.2, and would also be more consistent with the fact that C.3 contains both a rule combining algorithm and a policy combining algorithm.

2. The first sentence of C.3 calls it the "First Determinate" rule-combining algorithm; this should be changed to "First Applicable".

3. The behaviour specified in the policy-combining algorithm when an error is encountered is different from the behaviour specified in the rule-combining algorithm when an error is encountered (the rule combiner says halt and return Indeterminate, whereas the policy combiner says to keep looking for an applicable policy).  Is this what we wanted?

More importantly, might the policy combiner behaviour not lead to different answers for the same inputs?  For example, say there are two policies that are to be combined using this algorithm.  Given a particular set of input values, the first policy would return a decision of "Permit" and the second policy would return a decision of "Deny".  Now we give all the inputs to two different PDPs.  The first PDP retrieves the first policy, gets an answer of "Permit", and returns this to the PEP.  The second PDP has trouble retrieving the first policy for whatever reason and, according to the combining algorithm, retrieves the second policy; it then returns a "Deny" to the PEP.  Isn't this the sort of result we want to avoid?  Wouldn't the behaviour specified in the rule combining algorithm be preferable (that way, the first PDP would return "Permit" and the second would return "Indeterminate", which seems fine to me)?

Carlisle.