OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Minutes of XACML TC mtg: 3-Jul-08 w corrections

  • 1.  Minutes of XACML TC mtg: 3-Jul-08 w corrections

    Posted 07-17-2008 04:40
    	Note: Erik called my attention to a couple of 
    	corrections (prefixed by "correction #") below,
    	plus asked if we had quorum which we did, also
    	noted below.
    
    Minutes of XACML TC mtg: 3-Jul-08:
    
    Time: 10:00 am EDT
    Tel: 512-225-3050 Access Code: 65998
    
     Attendance:
    
    Voting Members
    
    Erik Rissanen  	Axiomatics AB
    Anthony Nadalin IBM
    Rich Levinson 	Oracle Corporation
    Hal Lockhart 	Oracle Corporation
    Anil Saldhana 	Red Hat
    Seth Proctor 	Sun Microsystems
    David Staggs 	Veterans Health Administration
    
     7 of 8 voting members present => we had quorum
    
    Members
    
    Duane DeCouteau 	Veterans Health Administration
    
    OASIS Staff
    
    Dee Schur 		OASIS
    
      Note:
    
    	Next call in 2 weeks. Hal will probably not
    	 be able to chair.
    
    Agenda: ("Minutes" after each agenda item)
    
    10:00 - 10:05 Roll Call & Minutes Approval
       Vote on Minutes from 19 June TC Meeting
       http://lists.oasis-open.org/archives/xacml/200806/msg00043.html
    
    	Minutes approved.
    
    10:05 - 10:10 Administrivia
       XACML Interop Update
       http://lists.oasis-open.org/archives/xacml/200806/msg00038.html
    
         Dee:  go to forum page: xacml listed Wed PM.
    	Cost is $500/participant company (get main castle room)
    	Need commitments
    	  Erik in
    	  Tony - depends, for now, we're
    	  Anil (red hat) in
    	  David (VA) not present
    	  Rich - probably not in
    	  Dee says Sampo is probably in
    
    	Duane will participate in mtgs and fill in details
    
    
       SVN Status - Waiting for word from Jamie
    
    	Legal issues on source control, still waiting
    	 for details
    	Std boiler plate - issue by Deviant people if they
    	 can use pieces of schemas etc.
    
       OGF document released for public comment: "Use of XACML RequestContext..."  
       http://lists.oasis-open.org/archives/xacml/200806/msg00049.html
    
    	Robin Cover distributed - geo space people want to stdize
    	 around req/rsp protocol
    
       A dynamic revocation model for XACML
       http://lists.oasis-open.org/archives/xacml/200807/msg00000.html
    
    	Attributes of delegate when issued policy, if interested
    	 read paper - whether current admin can revoke policies
    	 created by previous admin.
    	Relies on attributes saved and signatures and is "somewhat
    	 heavy to implement"
    
    10:10 - 11:00 Issues
       Issues #71 and #76 (multi-categories)
       http://lists.oasis-open.org/archives/xacml/200806/msg00041.html
    
    	Supporting multiple intermediaries, codebases. Hal now
    	 agrees w Erik, don't want to add new functionality
    	 for this.
    
       WS-XACML Review
       http://lists.oasis-open.org/archives/xacml/200806/msg00029.html
    
    	Hal: potentially a solution to reqt how do you know
    	 what attr should be provided to PDP. Vocab could
    	 be gleaned from policies, create an xml document
    	 and say that is vocabulary, etc.
    
    	Erik: think it's fine, raises reasonable things, if there
    	 is a demand from users should consider moving it forward.
    	
    	Hal: if going to req from pdp, what attr to provide.
    
    	Erik: also contains privacy policy, how enforced.
    
    	Hal: philosophy same as obligations
    
    	Erik: Anne sent ref to paper that describes protocol
    	 setting to enforce - is concerned whether possible to
    	 enforce at all.
    
    	Hal: privacy work was with some academic people, but can
    	 also be used for other purposes than privacy. As much
    	 as possible leveraging machinery that already exists
    	 access to pdp engines that already contain parsing
    
    	Erik: xpath concern in there, WS-Policy dropped ignorable.
    	 Anne had restriction on xpath that there would always
    	 be unique - does not think it is sufficient, because can
    	 use different namespaces to get around.
    
    	Hal: still hopeful Daniel can get back in.
    
       Passing parameters to the attribute designator
       http://lists.oasis-open.org/archives/xacml/200806/msg00042.html
    
    	From Anil Tappetla: Erik been considering, understands
    	 need for parameters, but no sure policy is right place
    	 for it. Any semantics? Need to provide a use case to
    	 better understand the issue. 
    
    	Hal: maybe part of vocabulary, what is syntax of attrs
    	 that policy can be found and how do you find them.
    	Erik: without more info would be inclined to say no.
    
       Security considerations for the access-permitted function
       http://lists.oasis-open.org/archives/xacml/200806/msg00044.html
    
    	Erik: in general fcn may not terminate. Limit on depth
    	 is a problem. Propose a limit either in std or impl
    	 based in metadata.
    
    	Hal: this might be useful in metadata.
    
    	Hal: attacker could send poison policy to mess up system.
    
    	Correction #1: Erik called my attention to the fact that
    	 it was decided that we decided to accept the proposal
    	 in msg00044.
    
       Issue 88, general xpath functions again
       http://lists.oasis-open.org/archives/xacml/200806/msg00045.html
    
    	Either general library or specific subset. xpath contains
    	 data types that do not fit xacml in any way.
    	Craig/Erik: propose we make up specific fcns and refer to
    	 xpath and not plug into full xpath.
    	Hal: purpose is manipulating request context.
    	Erik: this is our identifier and the functions does same
    	 thing as the xpath spec.
    	Erik: we defined general import, but not a good idea, then
    	 imported subset and found problems there. Now suggesting
    	 we just have identifiers that have limited interpretation
    	 but are equivalent to selected xpath specifics
    
       Issue 89, Adding a description element
       http://lists.oasis-open.org/archives/xacml/200806/msg00047.html
    
    	Either add to expression type or to apply. If you add to
    	 apply will be more generally pervasive.
    
    	Correction #2: Erik called my attention to the fact that
    	 it was also decided that we decided to accept the proposal
    	 in msg00047.
    
       A problem in the multiple resource profile
       http://lists.oasis-open.org/archives/xacml/200806/msg00048.html
    
    	Erik: in the policy can specify xpath version. Mult res prof
    	 req does not have similar identification of version.
    	 Add an element for 3.0
    
       The duration data types
       http://lists.oasis-open.org/archives/xacml/200807/msg00001.html
    
    	Looks like oversight. However, if we add it then some of 
    	 fcns there become redundant.
    	Hal: intro new ones and give warning redundant will be
    	 removed in future. Sometimes convenient to keep around.
    	Erik: adding date/time and year/month not the same.
    
    Hal
    
    
    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that
    generates this mail.  You may a link to this group and all your TCs in OASIS
    at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php