Note: Erik called my attention to a couple of
corrections (prefixed by "correction #") below,
plus asked if we had quorum which we did, also
noted below.
Minutes of XACML TC mtg: 3-Jul-08:
Time: 10:00 am EDT
Tel: 512-225-3050 Access Code: 65998
Attendance:
Voting Members
Erik Rissanen Axiomatics AB
Anthony Nadalin IBM
Rich Levinson Oracle Corporation
Hal Lockhart Oracle Corporation
Anil Saldhana Red Hat
Seth Proctor Sun Microsystems
David Staggs Veterans Health Administration
7 of 8 voting members present => we had quorum
Members
Duane DeCouteau Veterans Health Administration
OASIS Staff
Dee Schur OASIS
Note:
Next call in 2 weeks. Hal will probably not
be able to chair.
Agenda: ("Minutes" after each agenda item)
10:00 - 10:05 Roll Call & Minutes Approval
Vote on Minutes from 19 June TC Meeting
http://lists.oasis-open.org/archives/xacml/200806/msg00043.html
Minutes approved.
10:05 - 10:10 Administrivia
XACML Interop Update
http://lists.oasis-open.org/archives/xacml/200806/msg00038.html
Dee: go to forum page: xacml listed Wed PM.
Cost is $500/participant company (get main castle room)
Need commitments
Erik in
Tony - depends, for now, we're
Anil (red hat) in
David (VA) not present
Rich - probably not in
Dee says Sampo is probably in
Duane will participate in mtgs and fill in details
SVN Status - Waiting for word from Jamie
Legal issues on source control, still waiting
for details
Std boiler plate - issue by Deviant people if they
can use pieces of schemas etc.
OGF document released for public comment: "Use of XACML RequestContext..."
http://lists.oasis-open.org/archives/xacml/200806/msg00049.html
Robin Cover distributed - geo space people want to stdize
around req/rsp protocol
A dynamic revocation model for XACML
http://lists.oasis-open.org/archives/xacml/200807/msg00000.html
Attributes of delegate when issued policy, if interested
read paper - whether current admin can revoke policies
created by previous admin.
Relies on attributes saved and signatures and is "somewhat
heavy to implement"
10:10 - 11:00 Issues
Issues #71 and #76 (multi-categories)
http://lists.oasis-open.org/archives/xacml/200806/msg00041.html
Supporting multiple intermediaries, codebases. Hal now
agrees w Erik, don't want to add new functionality
for this.
WS-XACML Review
http://lists.oasis-open.org/archives/xacml/200806/msg00029.html
Hal: potentially a solution to reqt how do you know
what attr should be provided to PDP. Vocab could
be gleaned from policies, create an xml document
and say that is vocabulary, etc.
Erik: think it's fine, raises reasonable things, if there
is a demand from users should consider moving it forward.
Hal: if going to req from pdp, what attr to provide.
Erik: also contains privacy policy, how enforced.
Hal: philosophy same as obligations
Erik: Anne sent ref to paper that describes protocol
setting to enforce - is concerned whether possible to
enforce at all.
Hal: privacy work was with some academic people, but can
also be used for other purposes than privacy. As much
as possible leveraging machinery that already exists
access to pdp engines that already contain parsing
Erik: xpath concern in there, WS-Policy dropped ignorable.
Anne had restriction on xpath that there would always
be unique - does not think it is sufficient, because can
use different namespaces to get around.
Hal: still hopeful Daniel can get back in.
Passing parameters to the attribute designator
http://lists.oasis-open.org/archives/xacml/200806/msg00042.html
From Anil Tappetla: Erik been considering, understands
need for parameters, but no sure policy is right place
for it. Any semantics? Need to provide a use case to
better understand the issue.
Hal: maybe part of vocabulary, what is syntax of attrs
that policy can be found and how do you find them.
Erik: without more info would be inclined to say no.
Security considerations for the access-permitted function
http://lists.oasis-open.org/archives/xacml/200806/msg00044.html
Erik: in general fcn may not terminate. Limit on depth
is a problem. Propose a limit either in std or impl
based in metadata.
Hal: this might be useful in metadata.
Hal: attacker could send poison policy to mess up system.
Correction #1: Erik called my attention to the fact that
it was decided that we decided to accept the proposal
in msg00044.
Issue 88, general xpath functions again
http://lists.oasis-open.org/archives/xacml/200806/msg00045.html
Either general library or specific subset. xpath contains
data types that do not fit xacml in any way.
Craig/Erik: propose we make up specific fcns and refer to
xpath and not plug into full xpath.
Hal: purpose is manipulating request context.
Erik: this is our identifier and the functions does same
thing as the xpath spec.
Erik: we defined general import, but not a good idea, then
imported subset and found problems there. Now suggesting
we just have identifiers that have limited interpretation
but are equivalent to selected xpath specifics
Issue 89, Adding a description element
http://lists.oasis-open.org/archives/xacml/200806/msg00047.html
Either add to expression type or to apply. If you add to
apply will be more generally pervasive.
Correction #2: Erik called my attention to the fact that
it was also decided that we decided to accept the proposal
in msg00047.
A problem in the multiple resource profile
http://lists.oasis-open.org/archives/xacml/200806/msg00048.html
Erik: in the policy can specify xpath version. Mult res prof
req does not have similar identification of version.
Add an element for 3.0
The duration data types
http://lists.oasis-open.org/archives/xacml/200807/msg00001.html
Looks like oversight. However, if we add it then some of
fcns there become redundant.
Hal: intro new ones and give warning redundant will be
removed in future. Sometimes convenient to keep around.
Erik: adding date/time and year/month not the same.
Hal
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php