All,
As agreed I am moving the access-permitted function from the delegation
profile into the core spec.
When I did so I did some thinking about the concerns I have about the
function.
As a reminder: this is the function defined in the delegation profile
which returns true if an access request specified in its arguments is
permitted.
The way the function invokes the PDP as a brand new request going back
to the top level in the policies means that it is very hard to
understand its behavior or put bounds on the execution.
Currently the specification of the function contains the following text:
--8<--
The PDP SHALL detect any loop which may occur if successive evaluations
invoke this function. If such a loop is detected, the initial invocation
of this function evaluates to Indeterminate with a
“urn:oasis:names:tc:xacml:1.0:status:processing-error” status code.
--8<--
This text is a bit ambiguous. Does it mean
- any invocation of the access-permitted function at all
- any invocation of the same instance of the access-permitted function
(with an instance I mean the specific