Are there any objections to the following resolution to the type and syntax checking debate, at least with respect to the Conformance Tests? This may not resolve the issue completely, but I feel we need to decide as soon as possible what the Conformance Tests will do so that implementations can attest to "successfully using" this coming week. 1) I have added the following "Special Instructions" to the two tests that test that an invalid policy will never be used to return a Permit, Deny, or NotApplicable result. - Special Instructions for Test Case II.A.4 The policy for this test is not schema-compliant: it contains a syntax error. If a policy with invalid syntax MAY EVER be evaluated by the implementation's XACML PDP at the time a Request is received, then this test MUST be passed. In this case, the result MUST be consistent with the supplied IIA004Response.xml file: it returns a Decision of Indeterminate with a StatusCode value of "urn:oasis:names:tc:xacml:1.0:status:syntax-error". If the implementation's XACML PDP CAN NEVER attempt to evaluate a policy with invalid syntax, then the implementation MUST demonstrate that the policy in IIA004Policy.xml will be rejected by whatever entity is responsible for validating policy syntax in the system in which the XACML PDP will be used. In this case, the supplied Request and Response files are not relevant and may be ignored. - Special Instructions for Test Case II.C.3 The policy for this test contains a static type error. If a policy with static type errors MAY EVER be evaluated by the implementation's XACML PDP at the time a Request is received, then this test MUST be passed. In this case, the result MUST be consistent with the supplied IIC003Response.xml file: it returns a Decision of Indeterminate with a StatusCode value of "urn:oasis:names:tc:xacml:1.0:status:processing-error". If the implementation's XACML PDP CAN NEVER attempt to evaluate a policy with static type errors at the time a Request is received, then the implementation MUST demonstrate that the policy in IIA004Policy.xml will be rejected by whatever entity is responsible for validating policy syntax in the system in which the XACML PDP will be used. In this case, the supplied Request and Response files are not relevant and may be ignored. 2) I am checking all other policy files that contain a Rule that is supposed to return Indeterminate. If a static type error is currently being used to "cause" the Indeterminate result, I will change the test to "cause" the Indeterminate result by using an unsatisfied "MustBePresent" xml attribute, an unsatisfied *-one-and-only function, or a divide-by-zero error. I will mail out an updated Conformance Test Suite this afternoon. Anne Anderson -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692