Hello everyone, I thought I might share what Oasis had to say about my questions regarding some XACML practices:
Q: How does XACML resolve duplicate policy IDs?
A: The XACML spec requires that all policy sets, policies, and rules be uniquely identified. The uniqueness is defined on the element id + version number e.g. policy set id + version number. Duplicate policy IDs are therefore an error which should be reported by the PDP.
Q: Is it good practice to always wrap a policy in a policy set? This allows technologies like JAXB to unmarshal to a known type.