OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Minutes of XACML TC mtg: 3-Jul-08

    Posted 07-03-2008 15:24
    Minutes of XACML TC mtg: 3-Jul-08:
    
    Time: 10:00 am EDT
    Tel: 512-225-3050 Access Code: 65998
    
     Attendance:
    
    Voting Members
    
    Erik Rissanen  	Axiomatics AB
    Anthony Nadalin 	IBM
    Rich Levinson 	Oracle Corporation
    Hal Lockhart 	Oracle Corporation
    Anil Saldhana 	Red Hat
    Seth Proctor 	Sun Microsystems
    David Staggs 	Veterans Health Administration
    
    Members
    
    Duane DeCouteau 	Veterans Health Administration
    
    OASIS Staff
    
    Dee Schur 		OASIS
    
      Note:
    
    	Next call in 2 weeks Jul 19. 
    	Hal will probably not be able to chair. 
    	 Hopefully, Bill can handle.
    
    Agenda: ("Minutes" after each agenda item)
    
    10:00 - 10:05 Roll Call & Minutes Approval
       Vote on Minutes from 19 June TC Meeting
       http://lists.oasis-open.org/archives/xacml/200806/msg00043.html
    
    	Minutes approved.
    
    10:05 - 10:10 Administrivia
    
       XACML Interop Update (London: Oct 2008)
       http://lists.oasis-open.org/archives/xacml/200806/msg00038.html
    
         Dee:  go to forum page: xacml listed Wed PM.
    	Cost is $500/participant company 
    	 (we get to be in main castle room)
    	Need commitments
    	  Erik in
    	  Tony - depends, for now, we're
    	  Anil (red hat) in
    	  David (VA) not present
    	  Rich - probably not in
    	  Dee says Sampo is probably in
    
    	Duane will participate in mtgs and fill in details
    
    
       SVN Status - Waiting for word from Jamie
    
    	Legal issues on source control, still waiting
    	 for details
    	Std boiler plate - issue by Deviant people if they
    	 can use pieces of schemas etc.
    
       OGF document released for public comment: "Use of XACML RequestContext..."  
       http://lists.oasis-open.org/archives/xacml/200806/msg00049.html
    
    	Robin Cover distributed - geo space people want to stdize
    	 around req/rsp protocol
    
       A dynamic revocation model for XACML
       http://lists.oasis-open.org/archives/xacml/200807/msg00000.html
    
    	Attributes of delegate when issued policy, if interested
    	 read paper - whether current admin can revoke policies
    	 created by previous admin.
    	Relies on attributes saved and signatures and is "somewhat
    	 heavy to implement"
    
    10:10 - 11:00 Issues
       Issues #71 and #76 (multi-categories)
       http://lists.oasis-open.org/archives/xacml/200806/msg00041.html
    
    	Supporting multiple intermediaries, codebases. Hal now
    	 agrees w Erik, don't want to add new functionality
    	 for this.
    
       WS-XACML Review
       http://lists.oasis-open.org/archives/xacml/200806/msg00029.html
    
    	Hal: potentially a solution to reqt how do you know
    	 what attr should be provided to PDP. Vocab could
    	 be gleaned from policies, create an xml document
    	 and say that is vocabulary, etc.
    
    	Erik: think it's fine, raises reasonable things, if there
    	 is a demand from users should consider moving it forward.
    	
    	Hal: if going to req from pdp, what attr to provide.
    
    	Erik: also contains privacy policy, how enforced.
    
    	Hal: philosophy same as obligations
    
    	Erik: Anne sent ref to paper that describes protocol
    	 setting to enforce - is concerned whether possible to
    	 enforce at all.
    
    	Hal: privacy work was with some academic people, but can
    	 also be used for other purposes than privacy. As much
    	 as possible leveraging machinery that already exists
    	 access to pdp engines that already contain parsing
    
    	Erik: xpath concern in there, WS-Policy dropped ignorable.
    	 Anne had restriction on xpath that there would always
    	 be unique - does not think it is sufficient, because can
    	 use different namespaces to get around.
    
    	Hal: still hopeful Daniel can get back in.
    
       Passing parameters to the attribute designator
       http://lists.oasis-open.org/archives/xacml/200806/msg00042.html
    
    	From Anil Tappetla: Erik been considering, understands
    	 need for parameters, but no sure policy is right place
    	 for it. Any semantics? Need to provide a use case to
    	 better understand the issue. 
    
    	Hal: maybe part of vocabulary, what is syntax of attrs
    	 that policy can be found and how do you find them.
    	Erik: without more info would be inclined to say no.
    
       Security considerations for the access-permitted function
       http://lists.oasis-open.org/archives/xacml/200806/msg00044.html
    
    	Erik: in general fcn may not terminate. Limit on depth
    	 is a problem. Propose a limit either in std or impl
    	 based in metadata.
    
    	Hal: this might be useful in metadata.
    
    	Hal: attacker could send poison policy to mess up system.
    
       Issue 88, general xpath functions again
       http://lists.oasis-open.org/archives/xacml/200806/msg00045.html
    
    	Either general library or specific subset. xpath contains
    	 data types that do not fit xacml in any way.
    	Craig/Erik: propose we make up specific fcns and refer to
    	 xpath and not plug into full xpath.
    	Hal: purpose is manipulating request context.
    	Erik: this is our identifier and the functions does same
    	 thing as the xpath spec.
    	Erik: we defined general import, but not a good idea, then
    	 imported subset and found problems there. Now suggesting
    	 we just have identifiers that have limited interpretation
    	 but are equivalent to selected xpath specifics
    
       Issue 89, Adding a description element
       http://lists.oasis-open.org/archives/xacml/200806/msg00047.html
    
    	Either add to expression type or to apply. If you add to
    	 apply will be more generally pervasive.
    
       A problem in the multiple resource profile
       http://lists.oasis-open.org/archives/xacml/200806/msg00048.html
    
    	Erik: in the policy can specify xpath version. Mult res prof
    	 req does not have similar identification of version.
    	 Add an element for 3.0
    
       The duration data types
       http://lists.oasis-open.org/archives/xacml/200807/msg00001.html
    
    	Looks like oversight. However, if we add it then some of 
    	 fcns there become redundant.
    	Hal: intro new ones and give warning redundant will be
    	 removed in future. Sometimes convenient to keep around.
    	Erik: adding date/time and year/month not the same.
    
    


  • 2.  Re: [xacml] Minutes of XACML TC mtg: 3-Jul-08

    Posted 07-04-2008 12:08
    Was the attendance enough to meet quorum? (I'm just asking so I know 
    that I can go ahead and update things according to the decisions made.)
    
    Best regards,
    Erik
    
    Rich.Levinson wrote:
    > Minutes of XACML TC mtg: 3-Jul-08:
    >
    > Time: 10:00 am EDT
    > Tel: 512-225-3050 Access Code: 65998
    >
    > Attendance:
    >
    > Voting Members
    >
    > Erik Rissanen      Axiomatics AB
    > Anthony Nadalin     IBM
    > Rich Levinson     Oracle Corporation
    > Hal Lockhart     Oracle Corporation
    > Anil Saldhana     Red Hat
    > Seth Proctor     Sun Microsystems
    > David Staggs     Veterans Health Administration
    >
    > Members
    >
    > Duane DeCouteau     Veterans Health Administration
    >
    > OASIS Staff
    >
    > Dee Schur         OASIS
    >
    >  Note:
    >
    >     Next call in 2 weeks Jul 19.     Hal will probably not be able to 
    > chair.      Hopefully, Bill can handle.
    >
    > Agenda: ("Minutes" after each agenda item)
    >
    > 10:00 - 10:05 Roll Call & Minutes Approval
    >   Vote on Minutes from 19 June TC Meeting
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00043.html
    >
    >     Minutes approved.
    >
    > 10:05 - 10:10 Administrivia
    >
    >   XACML Interop Update (London: Oct 2008)
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00038.html
    >
    >     Dee:  go to forum page: xacml listed Wed PM.
    >     Cost is $500/participant company      (we get to be in main castle 
    > room)
    >     Need commitments
    >       Erik in
    >       Tony - depends, for now, we're
    >       Anil (red hat) in
    >       David (VA) not present
    >       Rich - probably not in
    >       Dee says Sampo is probably in
    >
    >     Duane will participate in mtgs and fill in details
    >
    >
    >   SVN Status - Waiting for word from Jamie
    >
    >     Legal issues on source control, still waiting
    >      for details
    >     Std boiler plate - issue by Deviant people if they
    >      can use pieces of schemas etc.
    >
    >   OGF document released for public comment: "Use of XACML 
    > RequestContext..."    
    > http://lists.oasis-open.org/archives/xacml/200806/msg00049.html
    >
    >     Robin Cover distributed - geo space people want to stdize
    >      around req/rsp protocol
    >
    >   A dynamic revocation model for XACML
    >   http://lists.oasis-open.org/archives/xacml/200807/msg00000.html
    >
    >     Attributes of delegate when issued policy, if interested
    >      read paper - whether current admin can revoke policies
    >      created by previous admin.
    >     Relies on attributes saved and signatures and is "somewhat
    >      heavy to implement"
    >
    > 10:10 - 11:00 Issues
    >   Issues #71 and #76 (multi-categories)
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00041.html
    >
    >     Supporting multiple intermediaries, codebases. Hal now
    >      agrees w Erik, don't want to add new functionality
    >      for this.
    >
    >   WS-XACML Review
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00029.html
    >
    >     Hal: potentially a solution to reqt how do you know
    >      what attr should be provided to PDP. Vocab could
    >      be gleaned from policies, create an xml document
    >      and say that is vocabulary, etc.
    >
    >     Erik: think it's fine, raises reasonable things, if there
    >      is a demand from users should consider moving it forward.
    >     
    >     Hal: if going to req from pdp, what attr to provide.
    >
    >     Erik: also contains privacy policy, how enforced.
    >
    >     Hal: philosophy same as obligations
    >
    >     Erik: Anne sent ref to paper that describes protocol
    >      setting to enforce - is concerned whether possible to
    >      enforce at all.
    >
    >     Hal: privacy work was with some academic people, but can
    >      also be used for other purposes than privacy. As much
    >      as possible leveraging machinery that already exists
    >      access to pdp engines that already contain parsing
    >
    >     Erik: xpath concern in there, WS-Policy dropped ignorable.
    >      Anne had restriction on xpath that there would always
    >      be unique - does not think it is sufficient, because can
    >      use different namespaces to get around.
    >
    >     Hal: still hopeful Daniel can get back in.
    >
    >   Passing parameters to the attribute designator
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00042.html
    >
    >     From Anil Tappetla: Erik been considering, understands
    >      need for parameters, but no sure policy is right place
    >      for it. Any semantics? Need to provide a use case to
    >      better understand the issue.
    >     Hal: maybe part of vocabulary, what is syntax of attrs
    >      that policy can be found and how do you find them.
    >     Erik: without more info would be inclined to say no.
    >
    >   Security considerations for the access-permitted function
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00044.html
    >
    >     Erik: in general fcn may not terminate. Limit on depth
    >      is a problem. Propose a limit either in std or impl
    >      based in metadata.
    >
    >     Hal: this might be useful in metadata.
    >
    >     Hal: attacker could send poison policy to mess up system.
    >
    >   Issue 88, general xpath functions again
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00045.html
    >
    >     Either general library or specific subset. xpath contains
    >      data types that do not fit xacml in any way.
    >     Craig/Erik: propose we make up specific fcns and refer to
    >      xpath and not plug into full xpath.
    >     Hal: purpose is manipulating request context.
    >     Erik: this is our identifier and the functions does same
    >      thing as the xpath spec.
    >     Erik: we defined general import, but not a good idea, then
    >      imported subset and found problems there. Now suggesting
    >      we just have identifiers that have limited interpretation
    >      but are equivalent to selected xpath specifics
    >
    >   Issue 89, Adding a description element
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00047.html
    >
    >     Either add to expression type or to apply. If you add to
    >      apply will be more generally pervasive.
    >
    >   A problem in the multiple resource profile
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00048.html
    >
    >     Erik: in the policy can specify xpath version. Mult res prof
    >      req does not have similar identification of version.
    >      Add an element for 3.0
    >
    >   The duration data types
    >   http://lists.oasis-open.org/archives/xacml/200807/msg00001.html
    >
    >     Looks like oversight. However, if we add it then some of      fcns 
    > there become redundant.
    >     Hal: intro new ones and give warning redundant will be
    >      removed in future. Sometimes convenient to keep around.
    >     Erik: adding date/time and year/month not the same.
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe from this mail list, you must leave the OASIS TC that
    > generates this mail.  You may a link to this group and all your TCs in 
    > OASIS
    > at:
    > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    
    


  • 3.  Re: [xacml] Minutes of XACML TC mtg: 3-Jul-08

    Posted 07-07-2008 01:57
    Yes, I believe we had 7 of a possible 8.
    
        Thanks,
        Rich
    
    Erik Rissanen wrote:
    > Was the attendance enough to meet quorum? (I'm just asking so I know 
    > that I can go ahead and update things according to the decisions made.)
    >
    > Best regards,
    > Erik
    >
    > Rich.Levinson wrote:
    >> Minutes of XACML TC mtg: 3-Jul-08:
    >>
    >> Time: 10:00 am EDT
    >> Tel: 512-225-3050 Access Code: 65998
    >>
    >> Attendance:
    >>
    >> Voting Members
    >>
    >> Erik Rissanen      Axiomatics AB
    >> Anthony Nadalin     IBM
    >> Rich Levinson     Oracle Corporation
    >> Hal Lockhart     Oracle Corporation
    >> Anil Saldhana     Red Hat
    >> Seth Proctor     Sun Microsystems
    >> David Staggs     Veterans Health Administration
    >>
    >> Members
    >>
    >> Duane DeCouteau     Veterans Health Administration
    >>
    >> OASIS Staff
    >>
    >> Dee Schur         OASIS
    >>
    >>  Note:
    >>
    >>     Next call in 2 weeks Jul 19.     Hal will probably not be able to 
    >> chair.      Hopefully, Bill can handle.
    >>
    >> Agenda: ("Minutes" after each agenda item)
    >>
    >> 10:00 - 10:05 Roll Call & Minutes Approval
    >>   Vote on Minutes from 19 June TC Meeting
    >>   http://lists.oasis-open.org/archives/xacml/200806/msg00043.html
    >>
    >>     Minutes approved.
    >>
    >> 10:05 - 10:10 Administrivia
    >>
    >>   XACML Interop Update (London: Oct 2008)
    >>   http://lists.oasis-open.org/archives/xacml/200806/msg00038.html
    >>
    >>     Dee:  go to forum page: xacml listed Wed PM.
    >>     Cost is $500/participant company      (we get to be in main 
    >> castle room)
    >>     Need commitments
    >>       Erik in
    >>       Tony - depends, for now, we're
    >>       Anil (red hat) in
    >>       David (VA) not present
    >>       Rich - probably not in
    >>       Dee says Sampo is probably in
    >>
    >>     Duane will participate in mtgs and fill in details
    >>
    >>
    >>   SVN Status - Waiting for word from Jamie
    >>
    >>     Legal issues on source control, still waiting
    >>      for details
    >>     Std boiler plate - issue by Deviant people if they
    >>      can use pieces of schemas etc.
    >>
    >>   OGF document released for public comment: "Use of XACML 
    >> RequestContext..."    
    >> http://lists.oasis-open.org/archives/xacml/200806/msg00049.html
    >>
    >>     Robin Cover distributed - geo space people want to stdize
    >>      around req/rsp protocol
    >>
    >>   A dynamic revocation model for XACML
    >>   http://lists.oasis-open.org/archives/xacml/200807/msg00000.html
    >>
    >>     Attributes of delegate when issued policy, if interested
    >>      read paper - whether current admin can revoke policies
    >>      created by previous admin.
    >>     Relies on attributes saved and signatures and is "somewhat
    >>      heavy to implement"
    >>
    >> 10:10 - 11:00 Issues
    >>   Issues #71 and #76 (multi-categories)
    >>   http://lists.oasis-open.org/archives/xacml/200806/msg00041.html
    >>
    >>     Supporting multiple intermediaries, codebases. Hal now
    >>      agrees w Erik, don't want to add new functionality
    >>      for this.
    >>
    >>   WS-XACML Review
    >>   http://lists.oasis-open.org/archives/xacml/200806/msg00029.html
    >>
    >>     Hal: potentially a solution to reqt how do you know
    >>      what attr should be provided to PDP. Vocab could
    >>      be gleaned from policies, create an xml document
    >>      and say that is vocabulary, etc.
    >>
    >>     Erik: think it's fine, raises reasonable things, if there
    >>      is a demand from users should consider moving it forward.
    >>         Hal: if going to req from pdp, what attr to provide.
    >>
    >>     Erik: also contains privacy policy, how enforced.
    >>
    >>     Hal: philosophy same as obligations
    >>
    >>     Erik: Anne sent ref to paper that describes protocol
    >>      setting to enforce - is concerned whether possible to
    >>      enforce at all.
    >>
    >>     Hal: privacy work was with some academic people, but can
    >>      also be used for other purposes than privacy. As much
    >>      as possible leveraging machinery that already exists
    >>      access to pdp engines that already contain parsing
    >>
    >>     Erik: xpath concern in there, WS-Policy dropped ignorable.
    >>      Anne had restriction on xpath that there would always
    >>      be unique - does not think it is sufficient, because can
    >>      use different namespaces to get around.
    >>
    >>     Hal: still hopeful Daniel can get back in.
    >>
    >>   Passing parameters to the attribute designator
    >>   http://lists.oasis-open.org/archives/xacml/200806/msg00042.html
    >>
    >>     From Anil Tappetla: Erik been considering, understands
    >>      need for parameters, but no sure policy is right place
    >>      for it. Any semantics? Need to provide a use case to
    >>      better understand the issue.
    >>     Hal: maybe part of vocabulary, what is syntax of attrs
    >>      that policy can be found and how do you find them.
    >>     Erik: without more info would be inclined to say no.
    >>
    >>   Security considerations for the access-permitted function
    >>   http://lists.oasis-open.org/archives/xacml/200806/msg00044.html
    >>
    >>     Erik: in general fcn may not terminate. Limit on depth
    >>      is a problem. Propose a limit either in std or impl
    >>      based in metadata.
    >>
    >>     Hal: this might be useful in metadata.
    >>
    >>     Hal: attacker could send poison policy to mess up system.
    >>
    >>   Issue 88, general xpath functions again
    >>   http://lists.oasis-open.org/archives/xacml/200806/msg00045.html
    >>
    >>     Either general library or specific subset. xpath contains
    >>      data types that do not fit xacml in any way.
    >>     Craig/Erik: propose we make up specific fcns and refer to
    >>      xpath and not plug into full xpath.
    >>     Hal: purpose is manipulating request context.
    >>     Erik: this is our identifier and the functions does same
    >>      thing as the xpath spec.
    >>     Erik: we defined general import, but not a good idea, then
    >>      imported subset and found problems there. Now suggesting
    >>      we just have identifiers that have limited interpretation
    >>      but are equivalent to selected xpath specifics
    >>
    >>   Issue 89, Adding a description element
    >>   http://lists.oasis-open.org/archives/xacml/200806/msg00047.html
    >>
    >>     Either add to expression type or to apply. If you add to
    >>      apply will be more generally pervasive.
    >>
    >>   A problem in the multiple resource profile
    >>   http://lists.oasis-open.org/archives/xacml/200806/msg00048.html
    >>
    >>     Erik: in the policy can specify xpath version. Mult res prof
    >>      req does not have similar identification of version.
    >>      Add an element for 3.0
    >>
    >>   The duration data types
    >>   http://lists.oasis-open.org/archives/xacml/200807/msg00001.html
    >>
    >>     Looks like oversight. However, if we add it then some of      
    >> fcns there become redundant.
    >>     Hal: intro new ones and give warning redundant will be
    >>      removed in future. Sometimes convenient to keep around.
    >>     Erik: adding date/time and year/month not the same.
    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe from this mail list, you must leave the OASIS TC that
    >> generates this mail.  You may a link to this group and all your TCs 
    >> in OASIS
    >> at:
    >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    >
    


  • 4.  Re: [xacml] Minutes of XACML TC mtg: 3-Jul-08

    Posted 07-08-2008 11:09
    All,
    
    There is a small error in the minutes. I think we decided to adopt the 
    proposals made on
    
      Security considerations for the access-permitted function
      http://lists.oasis-open.org/archives/xacml/200806/msg00044.html
    
    and
    
      Issue 89, Adding a description element
      http://lists.oasis-open.org/archives/xacml/200806/msg00047.html
    
    But the minutes do not state the decisions were made.
    
    Best regards,
    Erik
    
    Rich.Levinson wrote:
    > Minutes of XACML TC mtg: 3-Jul-08:
    >
    > Time: 10:00 am EDT
    > Tel: 512-225-3050 Access Code: 65998
    >
    > Attendance:
    >
    > Voting Members
    >
    > Erik Rissanen      Axiomatics AB
    > Anthony Nadalin     IBM
    > Rich Levinson     Oracle Corporation
    > Hal Lockhart     Oracle Corporation
    > Anil Saldhana     Red Hat
    > Seth Proctor     Sun Microsystems
    > David Staggs     Veterans Health Administration
    >
    > Members
    >
    > Duane DeCouteau     Veterans Health Administration
    >
    > OASIS Staff
    >
    > Dee Schur         OASIS
    >
    >  Note:
    >
    >     Next call in 2 weeks Jul 19.     Hal will probably not be able to 
    > chair.      Hopefully, Bill can handle.
    >
    > Agenda: ("Minutes" after each agenda item)
    >
    > 10:00 - 10:05 Roll Call & Minutes Approval
    >   Vote on Minutes from 19 June TC Meeting
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00043.html
    >
    >     Minutes approved.
    >
    > 10:05 - 10:10 Administrivia
    >
    >   XACML Interop Update (London: Oct 2008)
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00038.html
    >
    >     Dee:  go to forum page: xacml listed Wed PM.
    >     Cost is $500/participant company      (we get to be in main castle 
    > room)
    >     Need commitments
    >       Erik in
    >       Tony - depends, for now, we're
    >       Anil (red hat) in
    >       David (VA) not present
    >       Rich - probably not in
    >       Dee says Sampo is probably in
    >
    >     Duane will participate in mtgs and fill in details
    >
    >
    >   SVN Status - Waiting for word from Jamie
    >
    >     Legal issues on source control, still waiting
    >      for details
    >     Std boiler plate - issue by Deviant people if they
    >      can use pieces of schemas etc.
    >
    >   OGF document released for public comment: "Use of XACML 
    > RequestContext..."    
    > http://lists.oasis-open.org/archives/xacml/200806/msg00049.html
    >
    >     Robin Cover distributed - geo space people want to stdize
    >      around req/rsp protocol
    >
    >   A dynamic revocation model for XACML
    >   http://lists.oasis-open.org/archives/xacml/200807/msg00000.html
    >
    >     Attributes of delegate when issued policy, if interested
    >      read paper - whether current admin can revoke policies
    >      created by previous admin.
    >     Relies on attributes saved and signatures and is "somewhat
    >      heavy to implement"
    >
    > 10:10 - 11:00 Issues
    >   Issues #71 and #76 (multi-categories)
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00041.html
    >
    >     Supporting multiple intermediaries, codebases. Hal now
    >      agrees w Erik, don't want to add new functionality
    >      for this.
    >
    >   WS-XACML Review
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00029.html
    >
    >     Hal: potentially a solution to reqt how do you know
    >      what attr should be provided to PDP. Vocab could
    >      be gleaned from policies, create an xml document
    >      and say that is vocabulary, etc.
    >
    >     Erik: think it's fine, raises reasonable things, if there
    >      is a demand from users should consider moving it forward.
    >     
    >     Hal: if going to req from pdp, what attr to provide.
    >
    >     Erik: also contains privacy policy, how enforced.
    >
    >     Hal: philosophy same as obligations
    >
    >     Erik: Anne sent ref to paper that describes protocol
    >      setting to enforce - is concerned whether possible to
    >      enforce at all.
    >
    >     Hal: privacy work was with some academic people, but can
    >      also be used for other purposes than privacy. As much
    >      as possible leveraging machinery that already exists
    >      access to pdp engines that already contain parsing
    >
    >     Erik: xpath concern in there, WS-Policy dropped ignorable.
    >      Anne had restriction on xpath that there would always
    >      be unique - does not think it is sufficient, because can
    >      use different namespaces to get around.
    >
    >     Hal: still hopeful Daniel can get back in.
    >
    >   Passing parameters to the attribute designator
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00042.html
    >
    >     From Anil Tappetla: Erik been considering, understands
    >      need for parameters, but no sure policy is right place
    >      for it. Any semantics? Need to provide a use case to
    >      better understand the issue.
    >     Hal: maybe part of vocabulary, what is syntax of attrs
    >      that policy can be found and how do you find them.
    >     Erik: without more info would be inclined to say no.
    >
    >   Security considerations for the access-permitted function
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00044.html
    >
    >     Erik: in general fcn may not terminate. Limit on depth
    >      is a problem. Propose a limit either in std or impl
    >      based in metadata.
    >
    >     Hal: this might be useful in metadata.
    >
    >     Hal: attacker could send poison policy to mess up system.
    >
    >   Issue 88, general xpath functions again
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00045.html
    >
    >     Either general library or specific subset. xpath contains
    >      data types that do not fit xacml in any way.
    >     Craig/Erik: propose we make up specific fcns and refer to
    >      xpath and not plug into full xpath.
    >     Hal: purpose is manipulating request context.
    >     Erik: this is our identifier and the functions does same
    >      thing as the xpath spec.
    >     Erik: we defined general import, but not a good idea, then
    >      imported subset and found problems there. Now suggesting
    >      we just have identifiers that have limited interpretation
    >      but are equivalent to selected xpath specifics
    >
    >   Issue 89, Adding a description element
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00047.html
    >
    >     Either add to expression type or to apply. If you add to
    >      apply will be more generally pervasive.
    >
    >   A problem in the multiple resource profile
    >   http://lists.oasis-open.org/archives/xacml/200806/msg00048.html
    >
    >     Erik: in the policy can specify xpath version. Mult res prof
    >      req does not have similar identification of version.
    >      Add an element for 3.0
    >
    >   The duration data types
    >   http://lists.oasis-open.org/archives/xacml/200807/msg00001.html
    >
    >     Looks like oversight. However, if we add it then some of      fcns 
    > there become redundant.
    >     Hal: intro new ones and give warning redundant will be
    >      removed in future. Sometimes convenient to keep around.
    >     Erik: adding date/time and year/month not the same.
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe from this mail list, you must leave the OASIS TC that
    > generates this mail.  You may a link to this group and all your TCs in 
    > OASIS
    > at:
    > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php