OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  [xacml] milan f2f minutes

    Posted 05-06-2002 06:05
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: [xacml] milan f2f minutes


    Raw minutes I took in Milan.
    Simon
     
    Monday, apr 22
    
    Carlisle Adams
    Don Flynn
    Ann Anderson
    Polar Humen
    Michiharu Kudo
    Simon Godik
    Bill Parducci
    Pierangela Samarati
    Gerald Brose -- Xtradyne -observer
    
    C: Vote to approve minutes of apr 18
    approved.
    
    Attributes in domain specific profiles.
    
    Don Flinn:
    Problem communicating attributes between companies
    Spelling could be different, semantics could be different.
    
    Security models: flat versus hierarchial groups.
    
    How we communicate between entities?
    
    Push model:
    Attribute namespace could define specific attributes.
    If 2 entities understand the namespace they can map one to the other.
    
    Xacml would recommend to define standard namespaces and attribute sets.
    Xacml would have namespace registration procedure.
    
    P: How would you identify a namespace?
    D: Organization could peak a keyword.
    Ann: Why oasis needs to keep a registry?
    D: Convinience. 2nd complexity: will store uri's, 3rd: this format you should
    follow.
    D: Another approach: cnt redirected to attribute translation service. It's
    another way to do it, but it does not solve a problem
    Ann: XACML may want to define a set of attribute names to refering to elements
    in azn decision query.
    
    Ann: Which entity is the owner of an attribute?
    Don: Last thing: security models. For security models we define map between
    them. EJB has flat namespace for roles. We may define how to translate.
    
    day2, apr 23
    
    Conformance discussion
    
    Ernesto: Let's shorten doc but mention areas on which conformance should be
    done
    Polar: Break down by conformance level. For saml profile you should follow
    certain steps.
    Carl: goal here is bring a topic for discussion. Polar and Ken will take
    charge of this.
    Polar: Should it be a separate document? Could be put in the last chapter.
    Usually conformance doc is very short.
    Ann: If you've got several committees it's good to have several docs.
    When we done we fold all docs.
    Polar: Does oasis have conformance process?
    Carslisle: They have conf tech committee. They offer help in conformance
    process.
    
    Interface with saml.
    
    Carlisle: Interface with saml. Suggestion was made that we should not
    tie to saml at all. We can define xacml assertion and specify saml profile.
    That would allow other domains to be more comfortable with xacml.
    Ann: One view is that saml is the thing everybody maps to. And everybody
    maps to saml.
    Bill: To have saml spelled out in our schema limits our appeal to a broad
    audience. We need to be compliant with saml, but better have a level of
    abstraction above that.
    Ernesto: We were established as an addition to saml. Our role was to use
    saml assertions and be comfortable that saml will become accepted.
    Technically these two approaches are not different.
    Polar: Experience at the omg shows problems with linking specs.
    Michiharu: I do not have special objections to saml use (req-resp)
    I would like to propose xacml context as abstraction layer to xacml
    I do not have specific shema that is mandatory to use. I want to explain
    my idea later.
    Don: We need saml to pass credentials between systems.
    Ernseto: saml namespace will specify specific version of saml. I do not see
    a problem.
    Carlisle: If we were to define our own format will be different?
    Polar: no.
    Michiharu: I do not assume any specific xacml assertion schema. My proposal
    is to add transforms element that transforms any kind of saml request into
    assertion neutral xacml context. If you write such transforms it is easy
    to map between saml requests to xacml context. Ambiguity between saml request
    and xacml context does not exist. We can avoid versioning problem.
    Ernesto: For saml we can have empty xslt stylesheet.
    Ann: In xacml it makes more sence to group assertions by the holder of
    assertion. Then it's more direct to refer to particular assertion.
    Ernesto: That's rearangement of the tree structure. Why do not we define
    a structure for our assertions. Extension to this stylesheet could map
    further assertion versions.
    Ernesto: general concall will ratify proposal.
    
    Security and privacy considerations.
    Ann: privacy at the pep is different from privacy at the pdp etc.
    Polar: all we want to do is to bring up some concerns such as giving
    back more information with the response. Pep can filter this kind of
    information.
    Polar: policy integrity: it's important.
    Ernesto: xml has this facilities already, such as dsig or element encryption.
    We can check with w3c to see if these reqs could be satisfied.
    
    Issue: Integrity and authenticity of a policy are out of scope.
    Voted: !!!!! --> accepted.
    
    xacml context proposal. (Michiharu)
    Michiharu: This just an idea how to use xslt in the policy.
    Polar: If you do put it in the policy statement, they may each have a
    different transform, then different transforms should be run every time.
    Also, transform depends on the input request.
    Michiharu: I want to start for xacml context. It is not affected by saml
    syntax.
    Carlisle: What about response?
    Ernesto: There will be cases when you go from saml to saml.
    Ann: Are there 2 formats: saml and xacml context?
    Ann: Transforming saml request once may be no costlier than evaluating
    complicated expressions over saml assertions.
    Michiharu: It depends on implementation.
    Ernesto: We are going to define our own context. We can take saml schema
    for now, but context definition is a part of a spec. It calls for a vote.
    Carlisle: We can take votes assuming we have quorum.
    Bill: I suggest writing it down and voting on a proposal.
    Carlisle: we can arrange context in such a way that reference are simplier.
    Bill: we have to revisit our charter.
    
    IBM IP.
    Michiharu: I can tell you about the contents of the patent.
    This patent submitted in Japan is access control system for provisional 
    actions. Access request
    comes from the left (110), the box(10) is policy evaluation module and
    box (20) is policy enforcement module. This module is focused on obligations
    or provisional action. This module can have a set of enforcement plugin
    modules such as logging, encryption, etc. For example, request comes in
    and policy evaluation module determines if access is allowed or denied.
    If it contains obligations (113) then they are sent to enforcement module.
    If those external conditions are not satisfied the access denied is sent
    back to the requestor.
    Ernesto: We can ask for a letter from ibm similar to ebxml.
    There are also issues on 'content guard' patients.
    Carlisle: in the context of 'content guard' they would not be able to make
    any determination before they have final spec.
    
    Schema discussion.
    
    
    
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC