Title: RE: [xacml] Proposed semantics for operations involving INDETERMI NATE >> In fact what we are discussing is that functions in the constraint may >> "throw exception", beside >> returning "true" or "false". I think we do need clear protocol to >> communicate that - we should not >> lump together a case when no applicable rule was found with the case of >> database connection timed out.. >i fundamentally disagree. you are asking the the authorization decision >conversation to encompass operational behaviors. to what end? To the end of allowing to communicate "Not available" from "Not applicable" That is a result of policy evaluation - three distinct. pricipally different outcomes: decision/no applicable rules/could not evaluate. You may do at the external protocol layer. I suggest we provide standard way of doing that between PDP and PEP, not just leave it hanging. >let's >assume that there is a throw deep within the bowels of some external >function during policy evaluation. what is the PEP supposed to do with >that information? What's it is supposed to do with GRANT? Or DENY? Whatever is appropriate in a concrete application - that's not part of policy discription and policy query protocols. We may state that PEP may treat ERROR==UNDETERMINATE by default, but not providing a way to convey this fundamentally different state in the response is not helpful in my opinion. You will have exceptions. That's a fact. In one form or another. Not having a clear strategy what to do with this will not make it more robust or secure. Daniel.