Time: 13:00 EDT Tel: 513-241-0892 Access Code: 65998 Minutes for 2 June 2011 TC Meeting: note: "->" implies an "action item" I. Roll Call& Approve Minutes: Voting Members Erik Rissanen Axiomatics Paul Tyson Bell Helicopter Textron Inc. Doron Grinstein BiTKOO David Choy EMC Remon Sinnema EMC Sridhar Muppidi IBM David Chadwick Individual Bill Parducci Individual Rich Levinson Oracle Hal Lockhart Oracle John Tolbert The Boeing Company Members David Chadwick Individual have quorum Note: did not have quorum last week, so 19-May minutes still need approval 26 May TC Meeting - UPDATED 2:
http://lists.oasis-open.org/archives/xacml/201106/msg00001.html approved "notes" of 26-may 19 May 2011 TC Meeting
http://lists.oasis-open.org/archives/xacml/201105/msg00053.html approved minutes of 19-may II. Administrivia F2F: will be held in June 28th, 29, 30th in Lexington, MA Hal will create a poll to gather the final attendance count for the F2F, which is needed for planning facilities. -> Hal: please respond to poll. (action is on everyone else to respond) XACML TC Anniversary
http://lists.oasis-open.org/archives/xacml/201105/msg00059.html XACML 3.0 core wd 20 uploaded Core
http://lists.oasis-open.org/archives/xacml/201105/msg00070.html RBAC
http://lists.oasis-open.org/archives/xacml/201105/msg00071.html mtg schedule: hal: back to 2 weeks? erik: not yet hal: ok, weekly for now, next mgt jun 9 david: could we schedule jun 16 mtg hour earlier? -> hal: we will discuss on jun 9 if we can move jun 16 1 hr earlier IIIa. New Issues three questions: string-not-equal& valid FulfillOn attributevalues & placement of variableDefintions (may be resolved w follow-up emails)
http://lists.oasis-open.org/archives/xacml/201105/msg00102.html wd20 policy evaluation discussion: (may be resolved in followup emails) paul:
http://lists.oasis-open.org/archives/xacml/201105/msg00095.html paul: issue is with target description; not sure objection to proposed wording: target matches, doesn't, ind. erik: same info is in the table; risk of keeping things in synch; table in 7.1.2? paul: not as good as could be, but is ok. Obligations/Advice combining ambiguities. (dependent on final version of combining algorithms)
http://lists.oasis-open.org/archives/xacml/201105/msg00094.html rich: working assumption is that in deny-overrides that if there are multiple permit rules then all the applicable permits add their obligations to the response if decision is permit, as opposed to the deny decision, where only one rule's obls are returned. -> rich: will update impl guide w acm ref paper; also explain in a little more detail the "bundling of obligations" from the non-biased decision (i.e. the permit in deny-overrides, etc.) Permit Deny Bias PDPs& Extended Indeterminate this issue appears resolved w no changes required:
http://lists.oasis-open.org/archives/xacml/201105/msg00112.html rich: resolved - everything ok, as is IIIb. Issues Active on List Indeterminate Policy Target handling possible proposal to resolve: erik/rich:
http://lists.oasis-open.org/archives/xacml/201105/msg00114.html erik: obligations wrt policies evaluated, important that policies should be understood wrt combining used rich: ok, want to see next draft before signoff -> erik: will prepare next draft PDP REST Interface - proposal - hal:
http://lists.oasis-open.org/archives/xacml/201105/msg00093.html hal: has this discussion ended or is there more to come? erik: david b not here today, but issue is still active XACML Implementers Guide - updated w some cautions on ref: (note: the ref also needs update to published acm version, which addresses some of the concerns mentioned) Groups - XACML Implementor's Guide Version 3.0 (xacml-implement-guide-3.0-02-05.doc) uploaded
http://lists.oasis-open.org/archives/xacml/201105/msg00113.html Attribute predicate profile for SAML and XACML - ray comment
http://lists.oasis-open.org/archives/xacml/201105/msg00088.html IV. Carryover Issues (last posting listed) XACML Metadata
http://lists.oasis-open.org/archives/xacml/201105/msg00004.html Attribute predicate Profile for SAML and XACML
http://lists.oasis-open.org/archives/xacml/201104/msg00080.html Break The Glass Profile
http://lists.oasis-open.org/archives/xacml/201104/msg00082.html hal: david should bring us up to date on where we left off; david: still before proposal stage; should pdp signal a btg response hal: does pdp know to signal btg by evaluating policy david: yes, can be by an attribute (state); if attr set to true it would give one answer, if false then a btg answer; if glass wasn't broken, it would say you are entitled to break the glass; hal: we have 2 mechanisms: missing attr w indeterminate, or in policy can have obl or advice on deny; david: based on attr modeling whether state glass is broken; if btg is provided can make decision, if not, can't. rich: it sounds like it is profile using existing mechanisms, which seems like all ok. david: agrees david: pep can ignore the advice; hal: are there any open technical issues david: no; remaining question is what does pep do in response? one opinion is that pep does everything automatically, other is w obligations such as notify parts some people think it's all over w pdp, others think that you go back to pdp; david: pdp signals w advice, obl in v2, and 2 options on pep: coord w pdp, and ind of pdp. hal: why doesn't pdp interact w authority sufficient? policy does the alg and calculates answer; state type authority to keep track of btg; david: that model w glass mgr, still needs req to ask state; erik: "in coord w pdp" needs to be more specific: david: policy rule about who is allowed to do btg; 2nd rule is about btg'ing itself; state is maintained; erik: pdp controls acces to chg the state info. david: yes. hal: policy controls the btg as resource; -> david: will update the profile Profile Examples (Hierarchy)
http://lists.oasis-open.org/archives/xacml/200910/msg00024.html PIP directive (additional information directives)
http://lists.oasis-open.org/archives/xacml/201010/msg00005.html Usage of status:missing-attribute in case of an AttributeSelector
http://lists.oasis-open.org/archives/xacml/201104/msg00003.html "Web Friendly" Policy Ids
http://lists.oasis-open.org/archives/xacml/201103/msg00046.html Specifying a specific associated Resource in a Policy (Sticky Policies)
http://lists.oasis-open.org/archives/xacml/201103/msg00012.html