I don't think a PEP can make any assumptions about what kind of queries a
PDP can answer without querying the PDP, i.e. there are no stupid questions.
There is also nothing to say that the stuff in http://www.hp.com/* is
actually a list of files. http://www.hp.com/* might simply be a virtual
pointer to any resource accessed via http://www.hp.com/.
You are correct in the clearer reformulation of my question, thanks! However
the core questions still remain, should the PDP be able to enumerate the
resources available to a requestor or role given an expression to match
against resource policy constraints in the PDP. The pattern might be an
XPath or even a regular expression. The PDP would seem to have several
options based on its configuration, e.g. reject non-explict patterns,
enumerate for non-explicit patterns, reply yes to non-explicit patterns if
the result set is not empty (but don't enumerate) or reply no for the
converse.
Once again, the enumerating may open other security holes. Should the
protocol be designed in such a way as to preclude it? It seems to me this
will be a crucial point of intersection between SAML and XACML.