MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Minutes of XACML TC Meeting - April 13, 2006
Minutes of April 13, 2006
Attendees:
Daniel Engovatov
Hal Lockhart (Co-chair)
Michiharu Kudo
Ron Williams
Argyn Kuketayev
Abbie Barbir
Kamalendu Biswas
Erik Rissanen
Bill Parducci (Co-chair, minutes)
Anne Anderson (minutes)
Seth Proctor
David Staggs
Quorum was achieved (83% per Kavi)
1. Approval of minutes from March 30
http://lists.oasis-open.org/archives/xacml/200603/msg00001.html
Approved unanimously
2. SAML Profile Updated
Anne reported that the update incorporates all errata reported
against our XACML 2.0 standard profile. Among other things Advice has
also been added to allow Policies to be passed as an Advice in an
Assertion. Anne will post details to the list.
3. ITU-T update
Abbie introduced an updated submission to ITU-T based on input from
Anne.
XACML 2.0 references a specific working draft of the W3C XQuery
and XPath Functions and Operators spec for two DataTypes, the
functions related to them, constructor functions for all XML
Schema primitive DataTypes, and for the definition of Regular
Expressions. ITU does not allow references to things that are
not yet approved standards. Solution was to include the text
of the referenced sections of the XQuery and XPath draft
directly into the ITU version of the XACML specification in
paraphrased form to avoid copyright issues.
Daniel reported there was a meeting of the W3C XQuery and XSLT/XPath
WG at Oracle last week. They plan to move the datatypes
defined in XQuery into the XML Schema. Next meeting in June;
Committee Recommendation by Aug. XACML TC can't use their
changes now, since still not approved standard, but should sync
up at some point for XACML 3.0.
4. Issues
#11 CLOSED. already supported.
#12 This is being addressed by the work on Obligations. Bill &
Michiharu are pursuing this.
#13 Hal has concerns about the transitive implications of this. Anne
and Erik offered that this may be resolvable. Erik is interested
in this topic looking to work on this Issue but does not have a
time line. Hal requested more explicit use cases so can narrow
this down. OPEN
#14 "What do I do?": "What if" scenario where more general conclusions
(#12) are supported. e.g. I'm trying to access Server A, result
is "redirect to Server B". I.e. can be handled with Obligations
and XACML's existing "what if". CLOSED. Re-open if it comes up
again.
#18 Split out the sub-issue: "When are attributes chosen (evaluated)?
At time of issuance or at policy evaluation?" Added as Issue #35.
The remainder of the Issue is currently addressed in the latest
draft (no differentiation). consensus is "no distinction among
delegates in conditions on delegates". Problem exists in
specifying the functions on delegates because it requires bags of
bags (each delegate needs its own bag of attributes, they can't be
mixed). Now you specify a condition and it must apply individually
to each and all indirect delegates. CLOSED.
#22 Right to revoke: We now have conditions on right to issue a
policy, but none on right to revoke a policy. There are many
types of revocation. Currently the administrator (someone who
satisfies a delegate condition in a "supporting" policy) can
remove any policy (good for historic attribute support). A
policy that arrives with a request is used to evaluate only
that request and is then automatically revoked. PRP="Policy
Revocation Point". Bill suggested that this is an
implementation issue. OPEN.
#23 Access Permitted: Hal has written a proposed function. OPEN
#25 ACTION: Erik will revisit the text to make this easier to read.
The next meeting will begin back on Issue #26.
meeting adjourned.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]