OASIS eXtensible Access Control Markup Language (XACML) TC

Minutes of XACML TC Meeting - April 13, 2006

  • 1.  Minutes of XACML TC Meeting - April 13, 2006

    Posted 04-13-2006 17:47
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Minutes of XACML TC Meeting - April 13, 2006


    Minutes of April 13, 2006
    
    Attendees:
      Daniel Engovatov
      Hal Lockhart (Co-chair)
      Michiharu Kudo
      Ron Williams
      Argyn Kuketayev
      Abbie Barbir
      Kamalendu Biswas
      Erik Rissanen
      Bill Parducci (Co-chair, minutes)
      Anne Anderson (minutes)
      Seth Proctor
      David Staggs
    
    Quorum was achieved (83% per Kavi)
    
    1. Approval of minutes from March 30
        http://lists.oasis-open.org/archives/xacml/200603/msg00001.html
    
        Approved unanimously
    
    2. SAML Profile Updated
        Anne reported that the update incorporates all errata reported
        against our XACML 2.0 standard profile. Among other things Advice has
        also been added to allow Policies to be passed as an Advice in an
        Assertion. Anne will post details to the list.
    
    3. ITU-T update
        Abbie introduced an updated submission to ITU-T based on input from
        Anne.
    
        XACML 2.0 references a specific working draft of the W3C XQuery
        and XPath Functions and Operators spec for two DataTypes, the
        functions related to them, constructor functions for all XML
        Schema primitive DataTypes, and for the definition of Regular
        Expressions.  ITU does not allow references to things that are
        not yet approved standards.  Solution was to include the text
        of the referenced sections of the XQuery and XPath draft
        directly into the ITU version of the XACML specification in
        paraphrased form to avoid copyright issues.
    
        Daniel reported there was a meeting of the W3C XQuery and XSLT/XPath
        WG at Oracle last week.  They plan to move the datatypes
        defined in XQuery into the XML Schema.  Next meeting in June;
        Committee Recommendation by Aug.  XACML TC can't use their
        changes now, since still not approved standard, but should sync
        up at some point for XACML 3.0.
    
    4. Issues
    
       #11 CLOSED. already supported.
    
       #12 This is being addressed by the work on Obligations. Bill &
           Michiharu are pursuing this.
    
       #13 Hal has concerns about the transitive implications of this. Anne
           and Erik offered that this may be resolvable. Erik is interested
           in this topic looking to work on this Issue but does not have a
           time line. Hal requested more explicit use cases so can narrow
           this down. OPEN
    
       #14 "What do I do?": "What if" scenario where more general conclusions
           (#12) are supported.  e.g. I'm trying to access Server A, result
           is "redirect to Server B".  I.e. can be handled with Obligations
           and XACML's existing "what if". CLOSED.  Re-open if it comes up
           again.
    
       #18 Split out the sub-issue: "When are attributes chosen (evaluated)?
           At time of issuance or at policy evaluation?"  Added as Issue #35.
    
           The remainder of the Issue is currently addressed in the latest
           draft (no differentiation). consensus is "no distinction among
           delegates in conditions on delegates".  Problem exists in
           specifying the functions on delegates because it requires bags of
           bags (each delegate needs its own bag of attributes, they can't be
           mixed). Now you specify a condition and it must apply individually
           to each and all indirect delegates. CLOSED.
    
       #22 Right to revoke: We now have conditions on right to issue a
           policy, but none on right to revoke a policy.  There are many
           types of revocation.  Currently the administrator (someone who
           satisfies a delegate condition in a "supporting" policy) can
           remove any policy (good for historic attribute support).  A
           policy that arrives with a request is used to evaluate only
           that request and is then automatically revoked.  PRP="Policy
           Revocation Point".  Bill suggested that this is an
           implementation issue. OPEN.
    
       #23 Access Permitted: Hal has written a proposed function. OPEN
    
       #25 ACTION: Erik will revisit the text to make this easier to read.
    
       The next meeting will begin back on Issue #26.
    
    meeting adjourned.
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]