Attached are Anne's notes on and schema issues from the F2F 7/30/02. Don ================= Don Flinn Chief Security Architect Quadrasis Hitachi Computer Products (America), Inc. Tel: 781-768-5829
don.flinn@quadrasis.com Title: Notes: XACML Face-to-Face Meeting
Date: 30 July 2002
Author: Anne Anderson
Present: Polar, Hal, Don, Anne, Bill, Carlisle, Simon, Tim
AGENDA
======
July 30:
9:00-12:00 Walkthru of latest version of document and schema to identify
items to be discussed.
12:00-1:00 Lunch
1:00-5:00 Combine items from morning and items from schema subcommittee list
and discuss and resolve each
July 31:
9:00-12:00 Continue discussion of items
12:00-1:00 Lunch
1:00-3:00 Presentation of Policy Signatures Examples and discussion
Presentation of Conformance Test Cases and discussion
3:00-4:00 Work on identifiers section
4:00-5:00 Discuss conformance profiles
Aug 1:
9:00-10:00 Discuss security and privacy section
10:00-11:00 Presentation of LDAP Profile and discussion
11:00-12:00 Open for deferred or new items
12:00-1:00 Lunch
1:00-5:00 Review issues list for items to close or defer
30 July 2002
Goal: after end of 1 Aug 2002, all that is left to do to document is
to type in changes already agreed upon.
ACTION ITEMS:
- [Simon, 1 Aug 2002] Review glossary terms: missing, update.
- [Tim, 15 Aug 2002] Finish Background section. Add Target.
- [Anne, 29 July 2002] Add simple example to Example section.
- [Simon, 1 Aug 2002] update and correct the existing example in
Example section.
- [Anne, 30 July 2002] Give Simon list of edits sent to Tim on
Examples.
- [Tim, 15 Aug 2002] Highlight boxes in XACML Context section to show
which pieces are specified by XACML, and which are outside XACML
scope.
- [Tim, 15 Aug 2002] Figure 1: update to show PDP has nothing to do
directly with the PIP. Replace "PDP" in the figure with a "context
constructor" or something like that. PDP interacts only with the
"context constructor".
- [Bill, 1 Aug 2002] Check UML-ness of Figure 3 (Tim to give Bill a
software copy), and update it.
- [Tim, 15 Aug 2002] Figure 3: add switch under "condition" so it can
take function or attribute.
- [Tim, 15 Aug 2002] Section 4: label two "Target" sections
appropriately (one is for Rule, other is for PolicyStatement). Make
it clear that, regardless of how target is generated, evaluation of
policy is the same.
- [Simon, 15 Aug 2002] For each Policy syntax element, specify how PAP
deals with it and how PDP deals with it. Information needed to
implement the semantics of the element correctly.
- [Bill, 1 Aug 2002] Generate XML Spy representation from the
schemas.
- [Simon, 1 Aug 2002] Make all definitions in schema global.
- [Michiharu, 14 Aug 2002] Update SAML Profile XSLT, including how to
put Obligations into a SAML 1.0 AuthorizationQueryResponse.
- [Hal, 14 Aug 2002] Add IPR section (required by OASIS). Discuss
IBM's claimed IP on obligations.
- [Anne, 14 Aug 2002] Update XML Digital Signature profile.
- [Anne, 14 Aug 2002] Update "XACML extensibility points" to make
sure it includes anything needed for J2SE extensions.
- [Hal, 14 Aug 2002] Write paragraph on pitfalls of negative rules for
the "Security and privacy" section.
- [Don, 14 Aug 2002] Write up "threats" for "Security and privacy"
section.
- [Michiharu, 14 Aug 2002] Generate XSLT to convert a Response into
the minimal form used by Conformance Test cases.
- [Anne, 14 Aug 2002] Generate list of schema elements, combining
algorithms, identifiers, functions, arranged by Section # for
Conformance section of document.
- [Tim, 14 Aug 2002] Fold Background references into document
references section.
DECISIONS
- Keep structure of the document the same: Non-normative sections,
normative sections.
- Generate XML Spy representation of schemas, but publish this on the
web site as a separate element.
- Use only global element references and global type definitions in
the schema. Example: Use <xs:element
ref="xacml:PolicySetStatement"/>, rather than <xs:element
name="PolicySetStatement" type="PolicySetStatementType"/>. Naming
convention: if element is "X", type is "XType". Advantages:
o consistency for readers of the schema.
o can omit qualified elements and attributes.
o makes sure names of elements stay same when type is same.
- Put function names and legal type combinations (Section 6) in an
appendix.
- Put identifiers (Section 8) in an appendix.
- Put combining algorithms (Section 9) in an appendix.
- Profiles: a way of using XACML within a particular application
context.
- Move LDAP profile into another section: this is "how to use LDAP to
retrieve ID references in XACML", not "how to use XACML to implement
LDAP access control"
- Conformance Tests: define "conformance" as taking a Request
"consistent with" the specified Request.xml document, and taking the
specified Policy.xml document, must produce a Response "consistent
with" the specified Response.xml document. "Consistent with" means
must be capable of being converting algorithmically.
- "Successfully using" goal is that all mandatory-to-implement
functionality be implemented and testable. But, if don't have 3
fully compliant implementations as we get close to Sept.1, we can
redefine "successfully using" as a subset.
- Remove "Conformance Test" description of "conformant PAP".
- Commitments: Simon (OverXeer), Michiharu (IBM). CrossLogix can't
commit to be compliant by Sept. 1. Reuters is implementing, but we
don't know if they can commit for Sept. 1. Carlisle will contact
Reuters to see if they will commit.
- Acknowledgements section will include only voting members as of time
of approval as an OASIS Committee Specification.
Title: XACML schema issues
Author: Anne Anderson
Version: 1.21, 02/07/29 (yy/mm/dd)
Source: /net/labeast.east/files2/east/info/projects/isrg/xacml/docs/SCCS/s.SchemaIssues.txt
ISSUES:
34. [Michiharu] XPath Subset
http://lists.oasis-open.org/archives/xacml/200207/msg00066.html http://lists.oasis-open.org/archives/xacml/200207/msg00162.html <AttributeSelector> is used to specify XPath expression in
the <target> element. I am assuming that
<AttributeDesignator> will be used for the expression without
XPath. Four new functions are used to compare values.
function:general-string-equal
function:boolean
function:node-equal
function:xpath-match
<XPathVersion> element in <Defaults> element is used to
specify the version of the XPath expression used in the
policy. Schema definition will be posted by Simon.
OPEN: Simon and Michiharu will resolve this since they are
the prime users of XPATH in XACML.
36. [Anne] attribute references and indeterminate results
Long, verbose, religious, tedious thread starts with:
http://lists.oasis-open.org/archives/xacml/200207/msg00071.html Subsidiary thread (pdp status element):
http://lists.oasis-open.org/archives/xacml/200207/msg00140.html Some sub-issues and options
Order of evaluation
a. In what order MUST arguments be evaluated
Implementation-dependent unless the function definition
specifies an order. orderedOr and orderedAne are the only
standard functions we have defined that specifies an order.
b. MUST all arguments be evaluated?
No, if a result can be returned without evaluating all. You
could define a custom function that requires evaluating all
arguments, but none of our standard functions does this.
c. MAY all arguments be evaluated, even if not required to reach a
function result?
Yes, but can never change the overall result.
Operational errors (e.g. divide by 0) and missing information
(AttributeDesignator freturns empty set)
a. Reporting of errors via the response obtained while evaluating
a request by PDP:
Reporting by PDP in the Response is optional. PDP MAY include
error information in the Status element of the Response. PEP
must not depend on the PDP supplying this information.
b. Operational errors and missing information are handled as follows
- Standard OR and ORDERED-OR implementation:
Evaluate arguments in any order (or in specified order)
IF (you receive an error or null AttributeDesignator result) {
Go on to next argument evaluation unless all evaluated
IF (you get at least one TRUE) {
return TRUE
} ELSE {
return error (which may be a set of errors)
}
} ELSE IF (you get at least one TRUE) {
return TRUE
} ELSE {
return FALSE
}
- Standard AND and ORDERED-AND implementation:
Evaluate arguments in any order (or in specified order)
IF (you receive an error) {
Go on to next argument evaluation unless all evaluated
IF (you get at least one FALSE) {
return FALSE
} ELSE {
return error (which may be a set of errors)
}
} ELSE IF (you get at least one FALSE) {
return FALSE
} ELSE {
return TRUE
}
- function:present: returns TRUE if argument is
not {}. Returns FALSE if argument is {}. If evaluating
argument results in an error, return error.
- function:not returns TRUE if argument is FALSE,
returns FALSE if argument is TRUE. If argument results in an
error, return error.
- Other standard functions: return "error" if any argument is an
error or if an operational error in computing the function
occurs.
- Custom functions must behave like "Other standard functions"
unless specific handling of errors is specified.
c. What is Rule result if Condition evaluates to (exactly same as
table in v15 of specification):
- operational Error?
INDETERMINATE(error=operational error)
- "necessary information not available"?
INDETERMINATE (error=missing information)
- FALSE?
NOT APPLICABLE
- TRUE?
PERMIT or DENY (as specified in rule's Effect)
d. What is Rule result if Target evaluates to FALSE?
NOT APPLICABLE
e. Combining Algorithms must specify how PERMIT, DENY,
INDETERMINATE, and NOT APPLICABLE are handled. Standard
algorithms already do this.
f. If operational errors are reported, how is the type of
error reported?
Reported via Status element in Response
CLOSED: See decisions above.
37. [Michiharu] Use of XPath with namespaces.
http://lists.oasis-open.org/archives/xacml/200207/msg00056.html Namespace URI functions and Global Name functions. Another
option: namespace prefix in the XPATH expression, but this
needs some assumptions on the target document.
OPEN: Perhaps turn this over to Simon and Michiharu along
with #34?
38. [Daniel] Split non-null-set-intersection function
http://lists.oasis-open.org/archives/xacml/200207/msg00076.html [1)]
[Tim]
http://lists.oasis-open.org/archives/xacml/200207/msg00077.html Split non-null-set-intersection into intersection(list, list)
- returning xs:list and not-empty(list), returning boolean.
CLOSED: split function as suggested. (NOTE different closure from
original)
44. [Simon] Schema for advice/status in xacml:Response
http://lists.oasis-open.org/archives/xacml/200207/msg00126.html CLOSED: Use Response schema in 16a, which replaces xacml:Advice with
xacml:Status schema. XSLT that transforms xacml:Response into
saml:AuthorizationDecisionResponse will translate certain
xacml:Status values into saml:Advice elements. Status is
allowed with any DecisionType value (Permit, Deny,
Indeterminate, NotApplicable).
45. [All] Can AttributeDesignator be simpler than XPATH?
[Anne]
http://lists.oasis-open.org/archives/xacml/200207/msg00095.html [Simon]
http://lists.oasis-open.org/archives/xacml/200207/msg00130.html [Michiharu]
http://lists.oasis-open.org/archives/xacml/200207/msg00131.html [Simon example]
http://lists.oasis-open.org/archives/xacml/200207/msg00152.html CLOSED: Use Simon's proposal. This 1) flattens the Context, 2)
includes AttributeSelector (not mandatory to implement) for when
you want/need to use XPATH, and 3) includes AttributeDesignator
(mandatory) for referencing XACML-defined elements of the Request
context. Either XPATH or application-specific functions will be
required for retrieving sub-components of an attribute or of the
resource content.
46. [Anne] Replace saml:AssertionType with xacml:AssertionType
http://lists.oasis-open.org/archives/xacml/200207/msg00097.html Error in mailing: "sequence" should be "choice".
saml: Assertion currently referenced only in PolicySetType (as
PolicyAssertion and PolicySetAssertion). Should also have a
Policy[Set]Designator in this list. Note: we have no way in
XACML syntax to refer to any elements an Assertion header.
Only a Combining Algorithm could possibly refer to anything in
an Assertion header.
Options:
1. Extend saml:AssertionType to include element
ref="xacml:PolicySetStatement" and element
ref="xacml:PolicyStatement"
2. Define our own xacml:AssertionType.
3. Don't try to deal with assertions in XACML schema at all.
Remove AssertionDesignator, PolicySetAssertion, and
PolicyAssertion from xacml:PolicySetType.
CLOSED: #3.
49. [Michiharu] Which regular expression definition to use?
http://lists.oasis-open.org/archives/xacml/200207/msg00129.html [Anne]
http://lists.oasis-open.org/archives/xacml/200204/msg00132.html Options:
1. Use definitions specified in XML Schema part 2: Datatypes,
Appendix F Regular Expressions. (Bill says same as perl)
2. Basic regular expressions (BRE) as defined in POSIX
specification 2:
http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003 3. Extended regular expressions (ERE) as defined in POSIX
specification 2 (these add an "or" metacharacter so you
can match on one of multiple separate regular expressions)
http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003 4. Use whatever J2SE supports.
OPEN: Anne (and any others) will investigate which
definitions are implemented in freely available sources
(e.g. J2SE).
52. [John Howard] Support OR in Target
http://lists.oasis-open.org/archives/xacml-comment/200207/msg00000.html Supporting OR in Target, either explicitly or implicitly,
would make merging Targets easier.
Michiharu: important to support "Target Subject is manager OR
Subject is secretary". Currently need to handle this in
Condition.
OPEN: Defer until Face-to-Face.
55. [Anne] PDP response when no policies at all apply
CLOSED: return NOTAPPLICABLE
(Use a base policy with PolicyCombiner and Any-Targets if don't
want this behavior). Change Response context to have
NOTAPPLICABLE as a fourth possible DecisionType choice.
Following added July 30 during walkthru of latest version of document and schema.
56. [Daniel] No-match cases in Rule truth table (Table 1)
Are these correct?
OPEN:
57. [Simon] Should Rule Target be optional?
If Policy target is computed by union of Rule targets, then Rule
Target should not be optional.
OPEN:
58. [Anne] Order schema definitions alphabetically?
OPEN:
59. [Hal] How to specify semantics of functions.
Options:
o Cut and paste from XPATH 2.0
o Omit >2 multiple operands from XACML
OPEN:
60. [Simon] Keep Permit-overrides combining algorithms?
OPEN:
61. [All] Dynamic attributes: how are they referenced and retrieved?
Define a schema for the "static context"? This would be used for
conveying cached attributes in the form of a Request Context
between cooperating PDPs.
CLOSED: Perhaps define such a schema for a later version of XACML.
Dynamic attributes are referenced and retrieved through the
"notional" XACML Request Context regardless of whether they are
supplied by the PEP or retrieved from a PIP.
62. [Simon] DSML profile?
OPEN:
63. [Hal] Simplify AttributeDesignators within Target so not recursive?
Target should be simple enough for a single LDAP retrieval to get
the relevant policy, etc.
OPEN:
64. Will this TC define a way for PolicyStatement or
PolicySetStatement to be encapsulated in some sort of Assertion
for transmission over the network.
Define way for PolicySetStatement and PolicyStatement to be
encapsulated in a saml:Assertion. Current schema supports this
since PolicySetStatement and PolicyStatement extend
saml:StatementAbstractType.
Option:
1. Do not extend saml:StatementAbstractType in
mandatory-to-implement XACML policy schema. Define an optional
extension to saml that extends AssertionType with
xacml:PolicySetStatement and xacml:PolicyStatement. Define
non-mandatory XACML policy schema extension that defines these as
extensions of saml:StatementAbstractType.
CLOSED: #1.