XACML Focus group 27 Feb 2003 By teleconference Present: Anne Anderson Simon Godik Steve Crocker Tim Moses Purpose: Define new work items, assign leaders and identify interested parties. Summary: The following work items were agreed. 1. XACML 1.0+: RFE's based on actual usage a) Fully specify hierarchical resources [Simon lead; Satoshi, Michiharu participate] b) Define new combining algorithms for deterministic Obligations. [Michiharu lead] c) ebXML: Allow references to Rules (as we now allow for policies and policy sets) [Anne lead] d) Incorporate fixes for errata [Simon lead] e) Condition reference: From the policy, a specific "condition" is referred to by using conditionID attribute that is defined in the <Condition> element. [Michiharu lead] f) Properties for new combining algorithms [Michiharu lead] g) Obligations in rule element [Michiharu lead] 2. Profiles and bindings a) SAML: revised AuthorizationDecisionStatement, AuthorizationDecisionQuery, Response to support XACML Request and Response Context [Simon lead; Anne and Hal worked on this; Anne will send notes to Simon] b) XMLDSig: how to sign XACML policies, requests, responses [Anne lead; Simon participates] c) LDAP: 1) how to store and retrieve policies using LDAP [Tim lead] 2) how to store and retrieve attributes using LDAP [See RFC2256 and RFC2798 for schemas] d) ebXML: [Track, but let ebXML people do this] 1) how to store and retrieve policies using ebXML 2) how to store and retrieve attributes using ebXML e) Transport protocols (in addition to SAML wrapper) f) Define a set of domain-specific identifiers (action, combining algorithm etc.) that are used in well-known domains e.g. UNIX ACL, Windows, database ... [Michiharu lead] g) XACML Lite: how to manage subset profiles of XACML for particular environments [Steve lead] 3. Additional Conformance Tests [Anne Anderson, lead; have process for accepting contributions from all] 4. XACML Extensions a) Web Services Policy Language (WSPL) [Anne lead; Tim, Simon participate] b) Information about how/where to obtain policies and attributes; how to authenticate them (e.g. trust anchors) [Anne] 5. XACML Primer [Anne to ask Sun if willing to submit open source doc for this] 6. XACML Implementer's Guide [drop; no interest expressed] 7. XACML for privacy policies (exploration of whether and how XACML can be used to express privacy policies) [Carlisle lead; Bill, Simon] 8. Add list of implementations to TC Web Site [Michiharu] Discussion: EbXML - Sun's expert in ebXML is prepared to define how XACML can be used with the ebXML framework, including distribution in ebXML repository. The role of the XACML TC will be to review the proposal. XACML profile. Steve Crocker is interested in defining a framework for describing subsets of XACML that are tailored for particular environments. Anne described her proposal for extending the suite of conformance tests. Anyone will be able to submit new tests, which Anne will mark "experimental". Upon receipt of confirmation from implementers that their implementations satisfy the new test, it will be recognized as part of the formal test suite. Anne will examine the SAML approach to defining an XML Digital Signature profile and adopt the same approach for XACML. Anne and Hal have conducted an exchange on the topic of conveying the XACML context in a SAML request/response. A proposal has to be made to SAML. Simon offered to lead this activity and Anne agreed to send her notes on the topic to him. Carol Geyer has suggested that we place links to the available implementations of XACML on the TC's Web page. Anne suggested that a disclaimer should be associated with the links. Michiharu is asked to insert the links and Carlisle offered to work with Michiharu on the text of a suitable disclaimer. Seth Proctor has written an introduction to XACML for Sun's open-source project. Anne will ask Sun if they will agree to this being re-styled as an OASIS document and posted on the TC Web page. ----------------------------------------------------------------- Tim Moses 613.270.3183