MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [xacml] DRAFT minutes from F2F
Bill, you did a great job. You even managed to contribute while
taking minutes!
Anne
Comments below:
On 24 October, bill parducci writes: [xacml] DRAFT minutes from F2F
> F2F Meeting – Oct. 20, 2003 – BEA, San Jose
>
> Attendance:
> Frank Siebenlist
> Anne Anderson
> Tim Moses
> Polar Humenn
> Daniel Engovatov (observer)
> Bill Parducci
> Michiharu Kudo
> Michael McIntosh (prospective member)
> Anthony Nadalin
> MaryAnn Hondo (observer)
> Jacques Durand (prospective member)
> Hal Lockhart
>
> Reviewed Work Items:
> (minutes refer to discussion topics by Work Item number)
>
> 2. Seth now Champion for the modified version of this WI. A new item
Clarification:
This work item was not actually changed. There was some
clarification: it refers to information needed to configure a
PDP, included either in a Request, in a Policy, or possibly in a
3rd document type.
> (#41) has been created to cover generalizing classification of entities
> and declaration (third schema to represent?) Daniel will address this
Clarify:
Daniel will address #41, not #2.
> by Nov. 3.
>
> 7. Proposes that condition references to be used to allow for reuse of
> conditions. Limited to conditions within the same policy. Proposal is
Provide the rationale:
"reuse of conditions in Rules that may have different Targets."
> fairly complete and is ready for review and decision.
>
> 8. Proposes that rule references to be used to allow for reuse of rules.
> May span across policies. This implies that the rule becomes the lowest
> administrative unit. This is dependent upon the decision of #19.
> Decision of the group is that #19 is not valid since the use case may be
> resolved having policies containing single rules.
Clarify:
Not so much that #19 is "not valid" as that it is "not needed".
I think this item is now closed.
#8 is also not needed, for same reason, and is now closed.
>
> 9. Proposes extended syntax to address hierarchical Subject, Actions and
> Resources. Concern is that it is Resource specific and that it may be
> able difficult to address the intricacies of any given Resource domain.
> It was decided that hierarchical polices and hierarchical requests (new
> WI, #42) be split apart for discussion and consideration.
>
> 10. Proposes extended syntax for Combining Algorithms to allow for the
> influence of rule combination evaluation by parameters of the rules
> themselves. There is general agreement on the value of this approach,
> however it is not thought to be widely required. Therefore the feeling
> is that this should be handled via an extension point added to the
> schema. This WI is therefore closed and the topic taken up in #11.
>
> 12. Proposes environment attributes for Target. VOTE: approve as
> proposed – 8 FOR, 1 Abstain (Daniel, pending discussion of function
> extensions). Closed.
>
> 16. Determined that this doesn’t introduce anything new to
> specification. Closed.
>
> 17. Determined that this doesn’t introduce anything new to
> specification. Closed.
>
> 19. Closed in junction with discussion of #8.
>
> 26. Satisfied by existing specification using Policy Combination
> Algorithm. Closed.
Correction:
This item is not satisfied using any sort of policy combination
algorithm. It is closed because there is not a strong use case
for the XACML 2.0 time frame and it would be difficult to
implement due to semantic complexities.
> 29. Proposes delegation of policy combination with the constraint that
Clarification:
delegation of policy evaluation and combination
> authorization assertions be passed with requests from remote (trusted)
> systems. The scope to the problem is not fully understood by the group
> and the proposal was made to pursue administrative policy solutions
> first, then return to this issue. Also includes #38 (placing conditions
> on members of the delegation chain for operating on policies.)
>
> 30. Proposed that policy may be passed with an access request. There is
> concern that this will create issues with combinations of other
> applicable policies. It has been suggested that there the use case may
> be addressed by making remote PAP accessible to local PDP. This
> mechanism is related to #29 & #38 and will be discussed in the context
> of these issues.
>
> 35. Proposes that there is policy specifically developed to cover the
> return of missing attributes in decisions with Not Applicable results.
> It has been suggested that this is covered by the current specification.
> Documentation that details how this may be treated in XACML needs to be
> generated.
>
> 36. Proposes that PDP have formally defined access control mechanism to
> downstream PDPs. This is not consistent with what was generally
> understood by the group from the original WI. There is concern that the
> scope of this problem is outside of what is practically addressable in
> XACML. Further clarification is necessary. This will likely tie into the
> discussion of #29, #30 & #38.
>
> 37. Proposes a shorthand model for passing multiple elements. Deferred
> until tomorrow (rest of group arrives).
>
> 38. Covered in #30. Deferred pending outcome of #30.
>
> 40. Proposes optimized Policy query in SAML. Two non-conflicting
> proposals are on the table. This will be discussed further on the e-mail
> list.
Correction:
Nothing is "optimized". Proposed a general Policy Assertion and
Policy Query in SAML. Two non-conflicting proposals: one creates
an XACMLPolicyStatement and XACMLPolicyQuery, while other one
creates a SAML PolicyStatement and PolicyQuery, from which the
XACML-specific forms would be derived.
> +++
>
> F2F Meeting – Oct. 21, 2003 – BEA, San Jose
>
> Attendance:
> Frank Siebenlist
> Anne Anderson
> Tim Moses
> Polar Humenn
> Daniel Engovatov
> Simon Godik
> Bill Parducci
> Michiharu Kudo
> Michael McIntosh
> Rebekah Lepro
> Hal Lockhart
> Steve Anderson
>
> Reviewed the discussions of Monday’s meeting.
>
> Anne provided a historical review of derivation of single attribute
> value model in current spec.
>
> (minutes refer to discussion topics by Work Item number)
>
> 37. Based on the general belief that this proposal will not affect XPath
> attribute queries, the consensus is that this item be approved pending
> further clarification (cardinality & descriptive schema changes). Rebeka
> will provide a first pass at the changes for the Editor.
>
> Hierarchical authorization issues:
>
> 9. Resources – If you want to support request that specify the resource
> as a hierarchy (specifically, XML), there must be instance at request.
> Wildcards are allowed in hierarchical policies.
Clarification:
"policies about hierarchical entities" rather than "hierarchical policies"
>
> 42. Requests – hierarchical resource requests MUST use the “scope”
> attribute when intentionally requesting resources with subordinate data
> members (vs. using /* in an XPath expression). Clarification is required
> to define how responses for situations where hierarchical resources
> without descendants are queried for descendant access.
>
> Policy Administration:
>
> A number of proposals were discussed, however no clear solution arose as
> the majority of the session involved the expression of the requirements.
>
> A higher order requirement proposed by Frank is the ability to evaluate
> policies taking into consideration “admin” of the policy to allow for
> policy chain decisions.
>
> +++
>
> F2F Meeting – Oct. 22, 2003 – BEA, San Jose
>
> Attendance:
> Frank Siebenlist
> Anne Anderson
> Tim Moses
> Polar Humenn
> Simon Godik
> Bill Parducci
> Michael McIntosh
> Rebekah Lepro
> Hal Lockhart
> Steve Anderson
> Anthony Nadalin
> MaryAnn Hondo
> Jacques Durand
>
> Reviewed the discussions of Tuesday’s meeting.
>
> Anne reviewed her Administrative Policy proposal. Frank’s and Polar will
> post their respective AP proposals to the mailing list.
>
> Anne & Tim proposed that the XACML TC continue its work on the current
> WSPL proposal, focusing on the authorization policy constraints of Web
> Services. The premise is that this work adopt/integrate the efforts of
> proposed policy advertising committees as (as yet undefined in Oasis &
> W3C). Until such time the group would provide examples of how this
> mechanism would work; the intent of the group is that this non-normative
> output would be replaced/merged with forthcoming standards in this area.
>
> Scope of proposed work:
>
> 1. Subset of XACML suitable for describing conditions on access control
> related attributes that are: (1). required for accessing a service; (2).
> available for a presentation service accessor. NORMATIVE.
>
> 2. Combining subset instances from above to determine a mutually
> acceptable set of access control related attributes. NORMATIVE.
>
> 3. Examples of how such instances are associated with WSDL at message,
> operation port type, etc. NON-NORMATIVE.
>
> The group decided that this scope is acceptable and that work will
> continue as defined above.
>
> Tim reviewed an approach for LDAP storage of policies to address
> many-to-many PDP/PAP relationships. The topic was also raised as to
> whether remote policy requests should be considered.
>
>
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]