Title: RE: [xacml] Proposed semantics for operations involving INDETERMI NATE It is the job of the PDP to deliver Access Decisions, period, and it is the job of XACML to specify that access decision. It is not the job of the PDP to evalautate the consistency, availability, or correctness of that policy. [DE] Inconsistent, not-available or incorrect policy CANNOT be evaluated, so yes, it is the job of PDP to assure it is consistent, available and correct. > Errors with the PDP should be limited to operational ones, such as > communication/invocation problems with the PDP and/or unparsability of the > output (from bad PDPs). [DE] Non-available attribute, or a custom function in condition that can not be evaluated is an operational error. It is an important distinction - whether the decision is not applicable or could not be reached due to some operational error - any real life system will behave differently in this two cases. What is important: for the same policy, with the same data available - decision should be deterministic, not dependent on the rule order. And that should be part of the policy model reflected in the standard - we are writing a portable policy lanaguage, not just an XML schema, and I believe this has to be addressed clearly. It would not be a good standard if two PDP deliver different result for the same policy based on interpretation of what is an operational error, and what order rules have to be evaluated.