This is a concrete problem statement for the XACML 1.1 work item titled
"Define new combining algorithms for deterministic Obligations".
The policy combining algorithm defined in the XACML spec has problems when
it deals with policy with obligations (no problem when policy has no
obligations). Since the combining algorithm is defined in indeterministic
way (except for first-applicable), the obligation(s) returned by the
algorithm may differ because of that inderministic property. This problem
was posted on the comment mailing-list:
http://lists.oasis-open.org/archives/xacml-comment/200301/msg00024.html. In
addition, the current spec needs more explanatory text about how to
generate obligations from policy.
Therefore, XACML should define additional policy combining algorithm(s)
that deterministically returns the obligations and revise the corresponding
texts.
Michiharu Kudo