See attached mail message. Anne Anderson
Anne.Anderson@Sun.COM Internet Security Research Group, Sun Labs Sun Microsystems, Inc., Burlington, MA --- Begin Message --- From : Anne Anderson <
aha@ieee.org> To :
Anne.Anderson@Sun.COM Date : Thu, 1 Aug 2002 20:59:59 -0400 () Title: Minutes of XACML Face-to-Face Meeting Date: 30 July 2002 - 1 Aug 2002 Location: Hitachi/Quadrasis, Waltham, MA Scribe: Anne Anderson CONTENTS ======== ATTENDEES AGENDA ACTION ITEMS DECISIONS NOTES ON LDAP PROFILE PRESENTATION Separate documents: policy schema 16e (to be mailed by Simon) context schema 16e (to be mailed by Simon) Attribute Designator Examples identifiers Schema Issues [resolutions] Preliminary versions of various documents were mailed earlier, but updated documents replace those. ======================================================================== ATTENDEES ========= Polar Humenn, Hal Lockhart, Don Flinn, Anne Anderson, Bill Parducci, Carlisle Adams, Simon Godik, Tim Moses, Daniel Engovatov, Konstantin [last name?] (parts of 2nd and 3rd day) AGENDA ====== July 30: 9:00-12:00 Walkthru of latest version of document and schema to identify items to be discussed. 12:00-1:00 Lunch 1:00-5:00 Combine items from morning and items from schema subcommittee list and discuss and resolve each July 31: 9:00-9:30 Conference call (Michiharu called in) 9:30-12:00 Continue discussion of items 12:00-1:00 Lunch 1:15-1:45 Presentation of LDAP Profile and discussion 1:45-3:00 Continue quickly going through issues One possibility is asking someone to develop proposal during breakout session time. 3:00-4:30 Breakout work sessions: A. Work on identifiers section, review schema B. Discuss conformance profiles C. Any others 4:30-5:00 Present results from breakout sessions 5:00 E-mail minutes to the list Aug 1: 9:00-9:30 Conference call (Michiharu called in) 9:30-10:15 Discuss security and privacy section 10:15-10:45 Presentation of Conformance Test Cases and discussion 10:45-15:30 Simon presented updated schema 15:30-16:45 Polar reviewed combining algorithms, added new one 16:45-17:00 Brief discussion of next steps ACTION ITEMS: ============= - [All, 14 Aug 2002] All input text for the "final" version of the specification must be submitted. Specific action items called out below. - [Simon, 1 Aug 2002] Review glossary terms: missing, update. - [Tim, 15 Aug 2002] Finish Background section. Add Target. - [Simon, 14 Aug 2002] Add simple example to Example section. - [Simon, 1 Aug 2002] update and correct the existing examples in Example section. - [Tim, 15 Aug 2002] Highlight boxes in XACML Context section to show which pieces are specified by XACML, and which are outside XACML scope. - [Tim, 15 Aug 2002] Figure 1: update to show PDP has nothing to do directly with the PIP. Replace "PDP" in the figure with a "context constructor" or something like that. PDP interacts only with the "context constructor". - [Bill, 1 Aug 2002] Check UML-ness of Figure 3 (Tim to give Bill a software copy), and update it. - [Tim, 15 Aug 2002] Figure 3: add switch under "condition" so it can take function or attribute. - [Tim, 15 Aug 2002] Section 4: label two "Target" sections appropriately (one is for Rule, other is for PolicyStatement). Make it clear that, regardless of how target is generated, evaluation of policy is the same. - [Simon, 15 Aug 2002] For each Policy syntax element, specify how PAP deals with it and how PDP deals with it. Information needed to implement the semantics of the element correctly. - [Bill, 2 Aug 2002] Generate XML Spy representation from the schemas. We will make this available separately from the schema and specification documents. - [Michiharu, 14 Aug 2002] Update SAML Profile XSLT, including how to put Obligations into a SAML 1.0 AuthorizationQueryResponse. - [Hal, 14 Aug 2002] Add IPR section (required by OASIS). Discuss IBM's claimed IP on obligations. - [Anne, 14 Aug 2002] Update "XACML extensibility points" to make sure it includes anything needed for J2SE extensions. - [Hal, 14 Aug 2002] Write paragraph on pitfalls of negative rules for the "Security and privacy" section. - [Don, 14 Aug 2002] Write up "threats" for "Security and privacy" section. - [Michiharu, 14 Aug 2002] Generate XSLT to convert a Response into the minimal form used by Conformance Test cases (i.e. remove any comments, Status) - [Anne, 14 Aug 2002] Generate list of schema elements, combining algorithms, identifiers, functions, arranged by Section # for Conformance section of document. Each specified as mandatory or not. - [Tim, 14 Aug 2002] Fold Background references into document references section. - [Daniel, 14 Aug 2002] Provide editor with Appendix specifying semantics, operand datatypes, and result datatype for each function. Constraints: consistent with approved proposal for issue#59. - [Michiharu, 14 Aug 2002] Provide usage examples for XPATH. - [Michiharu, 14 Aug 2002] Provide usage examples that explain use of XPATH with namespaces. - [Hal, 14 Aug 2002] Word document describing usage of each defined XACML identifier from list produced at F2F. - [Hal, 14 Aug 2002] Clarify Security and Privacy to say that, as part of the validation of signatures on policies, the validation should ensure that the issuer listed for the policy refers to the same entity as signer of the policy. - [Hal, 14 Aug 2002] Eliminate description of RuleDigest and RuleDesignator. We no longer support those. - [Hal, 14 Aug 2002] Find out proper value for XPathVersion: i.e. is there a URN? Currently using
http://www.w3.org/TR/1999/REC-xpath-19991116 - [Anne, 21 Aug 2002] Conformance Tests: 1) Use 3-4 digit test case numbers for alphabetical ordering 2) Remove "conforming PAPs" section 3) Clarify that this is tests for a PDP "successfully using" XACML 4) Update "Conformance Requirements" section to point to the specification. - [Anne, mid-Sept 2002] Get comments to Tim on profile for using LDAP to store policies. - [Simon, 7 Aug 2002] define container that extends SAML Assertion to hold Policy or PolicySet. - [Anne, mid-Sept 2002] Update XML Digital Signature profile. - [Anne, mid-Sept 2002] Send proposal for SAML changes based on our Context to XACML TC list. After TC review and modification, we will send it on to SAML. Deadline for this is SAML's deadline for finalizing their list for 2.0. DECISIONS ========= - Keep structure of the specification document the same: with sections labelled Non-normative or normative. Don't split these out into separate documents. - Generate XML Spy representation of schemas, but publish this on the web site as a separate document. - Use only global element references and global type definitions in the schema. Example: Use <xs:element ref="xacml:PolicySetStatement"/>, rather than <xs:element name="PolicySetStatement" type="PolicySetStatementType"/>. Naming convention: if element is "X", type is "XType". Advantages: o consistency for readers of the schema. o can omit qualified elements and attributes. o makes sure names of elements stay same when type is same. - Put function names and legal type combinations (Section 6) in an appendix. - Put identifiers (Section 8) in an appendix. - Put combining algorithms (Section 9) in an appendix. - Definition: XACML Profiles = a way of using XACML within a particular application context. - Remove LDAP profile. We did not agree on this profile as described. Note: current LDAP profile is "how to use LDAP to retrieve ID references in XACML", not "how to use XACML to implement LDAP access control" - Conformance Tests: define "conformance" as taking a Request "consistent with" the specified Request.xml document, and taking the specified Policy.xml document, must produce a Response "consistent with" the specified Response.xml document. "Consistent with" means must be capable of (at least theoretically) being converted algorithmically to the specified Request.xml or Response.xml document. - "Successfully using" goal is that all mandatory-to-implement functionality be implemented and testable. But, if don't have 3 fully compliant implementations as we get close to Sept.1, we can redefine "successfully using" as a subset. - Remove "Conformance Test" description of "conformant PAP": we can't guarantee that all outputs of a PAP are conformant with the schema. - Status of commitments to implement XACML by Sept. 1: Simon (OverXeer). CrossLogix can't commit to be compliant by Sept. 1. Reuters is implementing, but we don't know if they can commit for Sept. 1. Carlisle will contact Reuters to see if they will commit. Michiharu (IBM) will do his best, but can't commit. - Acknowledgements section will include only voting members as of time of approval as an OASIS Committee Specification. Contributors list will include all voting members during the period of specification development. - If we do not have 3 implementations by Sept. 1, will still vote to make specification a Committee Specification, but wait for next window to submit to OASIS. Meanwhile implementations can continue to progress. OASIS is considering revising rules so that submissions can be made more frequently than every three months. Note: current OASIS rules on handling new issues that come up after submission to OASIS is awkward, and is also under review. - Add section to document for "Future work items". Not commitments, just "topics we are considering". - Eliminate RuleDesignator. External rules may no longer be included by reference in a policy. If you want to use external "rules", make the rule the only rule in a policy and refer to the policy by PolicyId in a policy set. - In PolicySetStatement, remove element "PolicySet": just use a CHOICE of PolicySetStatementId, PolicyStatementId, PolicySetStatement, PolicyStatement, 0..inf. - Change PolicySetStatement to "PolicySet" - In PolicyStatement, remove element "RuleSet": just use a CHOICE of Rule, 0..inf. - Change PolicyStatement to "Policy". - Make PolicySet collection of policies a sequence 0..inf of choice between Policy and PolicySet. - Change name <Function> to <Apply>. - Support for sub-elements and sub-decisions in hierarchical resources is not mandatory. Support for Scope attribute is not mandatory. - We are providing a normative way for specifying multiple results in a Response, each applying to a specific resource. We are not providing a normative way to generate multiple results. Michiharu has a proposal for a way of generating multiple results for XML resources, but we have not approved the proposal as normative. - Decide on Thursday, 8 Aug, 2002 whether to go to every-other-week TC meetings. - Committee meeting will occur on Monday, 5 Aug 2002. Anne, Tim, and Carlisle will not be able to attend. At least Hal and Simon will attend. - From now on, schema will change only if it is broken. There will be no new functionality, no name changes. Any changes require a TC vote to be accepted. - Polar will e-mail final text for Combining Algorithms by 7 Aug 2002. - At TC meeting on 8 Aug 2002, start going through TC Issues document to close or defer all open issues. - The DSML Profile is normative, but not mandatory to implement. If you retrieve attributes from a repository, you MUST use DSML attribute identifiers. - Profile for using SAML and XML Signature as envelope for Policy and PolicySet will describe how to use XML DSig to sign referenced policies as well as the referencing document. SAML's use of XML Signature currently would not allow referenced policies to be signed along with the referencing document. - All profiles can be done independently of the XACML specification, and need not depend on the schedule for the XACML specification. TC members are invited to propose profiles to the TC via the mailing list. Examples: LDAP Profile, SAML Profile, X509 Envelope for Policy and PolicySet, NOTES ON LDAP USAGE FOR RETRIEVING POLICIES AND POLICYSETS [slides presented by Tim] - Should we assume PDP has at least a "template" PolicySetStatement that specifies its PolicyCombiningAlgorithm? Then the PDP (or PRP) queries policy repository with Request Target information and constructs the PolicySet. Same could apply for constructing a Policy from Rules in a repository. - Basic issue for either is how to translate Request context information into an LDAP query that corresponds to Target information. - PAP has to process each PolicyStatement to create index to PolicyIds from Subject/Attribute, ResourceAttribute, and Action elements in PolicyStatement Target. Attributes are indexed based on being in the Target, not based on potential inclusion in a Context. - AttributeValue must be string? No. --- End Message ---