OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  DRAFT minutes from F2F

    Posted 10-24-2003 15:20
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: DRAFT minutes from F2F


    here are my notes from the F2F meeting this week. i welcome review and 
    input from those who attended (if possible before the next concall).
    
    i think that the meeting was quite successful in providing understanding 
    on the requirements, goals and definitions of the Work Items proposed 
    for version two. from the discussions it is apparent that XACML will be 
    tackling some complex issues, but the general feeling seems to be that 
    we now have enough common understanding to move forward effectively via 
    concall and mailing list.
    
    b
    
    +++
    
    F2F Meeting – Oct. 20, 2003 – BEA, San Jose
    
    Attendance:
    Frank Siebenlist
    Anne Anderson
    Tim Moses
    Polar Humenn
    Daniel Engovatov
    Bill Parducci
    Michiharu Kudo
    Michael McIntosh
    Anthony Nadalin
    MaryAnn Hondo
    Jacques Durand
    Hal Lockhart
    
    Reviewed Work Items:
    (minutes refer to discussion topics by Work Item number)
    
    2. Seth now Champion for the modified version of this WI. A new item 
    (#41) has been created to cover generalizing classification of entities 
    and declaration (third schema to represent?)  Daniel will address this 
    by Nov. 3.
    
    7. Proposes that condition references to be used to allow for reuse of 
    conditions. Limited to conditions within the same policy. Proposal is 
    fairly complete and is ready for review and decision.
    
    8. Proposes that rule references to be used to allow for reuse of rules. 
    May span across policies. This implies that the rule becomes the lowest 
    administrative unit. This is dependent upon the decision of #19. 
    Decision of the group is that #19 is not valid since the use case may be 
    resolved having policies containing single rules.
    
    9. Proposes extended syntax to address hierarchical Subject, Actions and 
    Resources.  Concern is that it is Resource specific and that it may be 
    able difficult to address the intricacies of any given Resource domain. 
    It was decided that hierarchical polices and hierarchical requests (new 
    WI, #42) be split apart for discussion and consideration.
    
    10. Proposes extended syntax for Combining Algorithms to allow for the 
    influence of rule combination evaluation by parameters of the rules 
    themselves. There is general agreement on the value of this approach, 
    however it is not thought to be widely required. Therefore the feeling 
    is that this should be handled via an extension point added to the 
    schema. This WI is therefore closed and the topic taken up in #11.
    
    12. Proposes environment attributes for Target. VOTE: approve as 
    proposed – 8 FOR, 1 Abstain (Daniel, pending discussion of function 
    extensions). Closed.
    
    16. Determined that this doesn’t introduce anything new to 
    specification. Closed.
    
    17. Determined that this doesn’t introduce anything new to 
    specification. Closed.
    
    19. Closed in junction with discussion of #8.
    
    26. Satisfied by existing specification using Policy Combination 
    Algorithm. Closed.
    
    29. Proposes delegation of policy combination with the constraint that 
    authorization assertions be passed with requests from remote (trusted) 
    systems. The scope to the problem is not fully understood by the group 
    and the proposal was made to pursue administrative policy solutions 
    first, then return to this issue. Also includes #38 (placing conditions 
    on members of the delegation chain for operating on policies.)
    
    30. Proposed that policy may be passed with an access request. There is 
    concern that this will create issues with combinations of other 
    applicable policies. It has been suggested that there the use case may 
    be addressed by making remote PAP accessible to local PDP. This 
    mechanism is related to #29 & #38 and will be discussed in the context 
    of these issues.
    
    35. Proposes that there is policy specifically developed to cover the 
    return of missing attributes in decisions with Not Applicable results. 
    It has been suggested that this is covered by the current specification. 
    Documentation that details how this may be treated in XACML needs to be 
    generated.
    
    36. Proposes that PDP have formally defined access control mechanism to 
    downstream PDPs. This is not consistent with what was generally 
    understood by the group from the original WI. There is concern that the 
    scope of this problem is outside of what is practically addressable in 
    XACML. Further clarification is necessary. This will likely tie into the 
    discussion of #29, #30 & #38.
    
    37. Proposes a shorthand model for passing multiple elements. Deferred 
    until tomorrow (rest of group arrives).
    
    38. Covered in #30. Deferred pending outcome of #30.
    
    40. Proposes optimized Policy query in SAML. Two non-conflicting 
    proposals are on the table. This will be discussed further on the e-mail 
    list.
    
    +++
    
    F2F Meeting – Oct. 21, 2003 – BEA, San Jose
    
    Attendance:
    Frank Siebenlist
    Anne Anderson
    Tim Moses
    Polar Humenn
    Daniel Engovatov
    Simon Godik
    Bill Parducci
    Michiharu Kudo
    Michael McIntosh
    Rebekah Lepro
    Hal Lockhart
    Steve Anderson
    
    Reviewed the discussions of Monday’s meeting.
    
    Anne provided a historical review of derivation of single attribute 
    value model in current spec.
    
    (minutes refer to discussion topics by Work Item number)
    
    37. Based on the general belief that this proposal will not affect XPath 
    attribute queries, the consensus is that this item be approved pending 
    further clarification (cardinality & descriptive schema changes). Rebeka 
    will provide a first pass at the changes for the Editor.
    
    Hierarchical authorization issues:
    
    9. Resources – If you want to support request that specify the resource 
    as a hierarchy (specifically, XML), there must be instance at request. 
    Wildcards are allowed in hierarchical policies.
    
    42. Requests – hierarchical resource requests MUST use the “scope” 
    attribute when intentionally requesting resources with subordinate data 
    members (vs. using /* in an XPath expression). Clarification is required 
    to define how responses for situations where hierarchical resources 
    without descendants are queried for descendant access.
    
    Policy Administration:
    
    A number of proposals were discussed, however no clear solution arose as 
    the majority of the session involved the expression of the requirements.
    
    A higher order requirement proposed by Frank is the ability to evaluate 
    policies taking into consideration “admin” of the policy to allow for 
    policy chain decisions.
    
    +++
    
    F2F Meeting – Oct. 22, 2003 – BEA, San Jose
    
    Attendance:
    Frank Siebenlist
    Anne Anderson
    Tim Moses
    Polar Humenn
    Simon Godik
    Bill Parducci
    Michael McIntosh
    Rebekah Lepro
    Hal Lockhart
    Steve Anderson
    Anthony Nadalin
    MaryAnn Hondo
    Jacques Durand
    
    Reviewed the discussions of Tuesday’s meeting.
    
    Anne reviewed her Administrative Policy proposal. Frank’s and Polar will 
    post their respective AP proposals to the mailing list.
    
    Anne & Tim proposed that the XACML TC continue its work on the current 
    WSPL proposal, focusing on the authorization policy constraints of Web 
    Services. The premise is that this work adopt/integrate the efforts of 
    proposed policy advertising committees as (as yet undefined in Oasis & 
    W3C). Until such time the group would provide examples of how this 
    mechanism would work; the intent of the group is that this non-normative 
    output would be replaced/merged with forthcoming standards in this area.
    
    Scope of proposed work:
    
    1. Subset of XACML suitable for describing conditions on access control 
    related attributes that are: (1). required for accessing a service; (2). 
    available for a presentation service accessor. NORMATIVE.
    
    2. Combining subset instances from above to determine a mutually 
    acceptable set of access control related attributes. NORMATIVE.
    
    3. Examples of how such instances are associated with WSDL at message, 
    operation port type, etc. NON-NORMATIVE.
    
    The group decided that this scope is acceptable and that work will 
    continue as defined above.
    
    Tim reviewed an approach for LDAP storage of policies to address 
    many-to-many PDP/PAP relationships.  The topic was also raised as to 
    whether remote policy requests should be considered.
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]