Minutes of XACML TC Conference Call Jan. 23, 2003 Scribe: Anne Anderson Present: Anne Anderson, Steve Anderson, Carlisle Adams, Michiharu Kudo, Bill Parducci, Simon Godik. Regrets: Tim Moses, Hal Lockhart. 1. Roll call and approval of previous minutes. Present: Anne Anderson, Steve Anderson, Carlisle Adams, Michiharu Kudo, Bill Parducci, Simon Godik. Regrets: Tim Moses, Hal Lockhart. Did not have quorum, so did not approve previous minutes. Ken Yagen has asked for a one-month leave of absence. 2. Michiharu: report on XACML's position in Web Services Security specifications. Did not have time to go through all the specifications. Personal opinion is XACML is related to WS-Trust, WS-PolicyAttachments, and WS-Authorization. PolicyAttachments description of policy is similar to XACML, but there are many differences. XACML is focused on access control policy, but WS-Policy is not. WS-Trust has good relationship with XACML, because it returns security tokens in response to token request, so this is like XACML Request, Response. WS-Trust has no text saying XACML interface can be used, but it would be possible. The authorization assertion (A can access B, in a decision saying PDP returns Permit) could be a token. Use case: XACML used as back of WS-Trust server to generate generic XACML response context as a security token. WS-Authorization: Michiharu has no information about this specification or what it means. XACML might be one instance of WS-Authorization, but it may not. No one actively working on this specification and no time frame that Michiharu has heard of. Carlisle asked about WS-Privacy. Michiharu says this specification is not available on the web site, so he can't say anything about it. Someone is working on this specification. Simon asked about new TC that will look at IBM's WS Security specifications (WS-Policy, or whole suite), taking XACML (and other things) into account. Simon understands there is such a TC forming, or might be a section in WS Security Framework. Discussed at last WS Security conference call. Tim Moses brought it up, and got assurances from Microsoft and IBM that they will be open to input of people such as XACML participants for completion of authorization standards within the WS Security framework. 3. Anne: XACML Digital Signature Profile status. First draft issued to XACML mailing list. Anne will be issuing a new version of the profile incorporating comments received internally. Simon: look at the SAML Recommendations for using Digital Signature. Need to say why certain transforms used in SAML and not in XACML. ACTION ITEM: [Anne] look at SAML DSig profile and use it to update and re-issue the XACML profile. Explain any differences between the SAML recommendations and those in XACML. 4. Simon: report on Errata Has been tracking comments coming in, but nothing we need to discuss on this call. There will be an Errata document maintained on the XACML web site containing errors in the XACML 1.0 Specification. Will contain anything we can't change in the 1.0 document as part of final standardization edit. 5. Carlisle: Status of XACML voting so far. 30 Yes, 3 abstain (Microsoft, Authentica, I-Many), 1 No (Ram Kumar, MSI Business Solutions, due to IPR issues not clear). About 300 members, so a few more Yes votes (and no changes in current Yes votes) will get XACML through. The TC can't do anything about clarifying the IPR issues, so we will not be able to make any changes in response to Kumar's No vote. Next conference call will be Feb. 6., 10am EST, 512-225-3050 access code 65998. -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692