OASIS eXtensible Access Control Markup Language (XACML) TC

Minutes 29 January 2009 TC meeting

  • 1.  Minutes 29 January 2009 TC meeting

    Posted 01-30-2009 04:40
    Time: 10:00 am EDT
    Tel: 512-225-3050 Access Code: 65998
    
    Agenda:
    
    10:00 - 10:05 Roll Call 
    
    	Voting Members
    
    	Erik Rissanen  	Axiomatics AB
    	Bill Parducci 	Individual
    	Rich Levinson 	Oracle Corporation
    	Hal Lockhart 	Oracle Corporation
    	John Tolbert 	The Boeing Company
    	Duane DeCouteau Veterans Health Administration
    	David Staggs 	Veterans Health Administration
    
     Approve Minutes
       of 22 January 2009 TC Meeting
       http://lists.oasis-open.org/archives/xacml/200901/msg00052.html
    
       Approve corrected minutes
       of 15 January 2009 TC Meeting
        http://lists.oasis-open.org/archives/xacml/200901/msg00069.html
    
    	approved both no objection
       
    
    10:05 - 11:00 Issues
    
     Administrivia:
    
       Federal Register Notice requiring use of XACML by Federal 
       agencies in certain situations
        http://lists.oasis-open.org/archives/xacml/200901/msg00062.html
    
    	Dave: recommends reading email and attachment sent out where
    	 xacml reqts for fed govt achieved
    
    	Dave encourages TC members to consider joining XSPA TC,
    	 in particular, to consider participating in HIMSS demo.
    	 RedHat, Sun have joined xspa tc and plan to
    	  participate in himss demo
    
    	From above email: "The XSPA profile of XACML will be featured 
    	 in the OASIS-HITSP Demonstration of TP20 at the HIMSS Showcase 
    	 in early April.  There is still time to participate and we still 
    	 have room in the booth for more participants."
    
        ->  Rich: post something on web page
    
    
       US gov't announcement of OASIS security standards milestone
        http://lists.oasis-open.org/archives/xacml/200901/msg00063.html
    
     Prelim before issues:
       Hal: need to take the time so people understand the issues
        (because possibly people have not been able to get fully
         cognizant of the details and things can get thru w/o
         adequate scrutiny by several members - just a concern,
         no explicit evidence, but encourages people to speak up
         if they need more time or discussion on issues)
       Erik: need to combine efficiency of processing as well
    
       Hal:
         - minutes should reflect discussion and scribes should
    	interrupt if not clear
    
    
     New Issues:
    
       Deprecation?
        http://lists.oasis-open.org/archives/xacml/200901/msg00054.html
    
        Hal: oasis has no process for this; other stds orgs follow a
    	mix of procedures; no industry consensus.
    
        Hal: key issue is 3.0 features are improvement over 2.0 and that
    	we need to continue 2.0 support.
    
        Hal: not ITUT "SHALL" was used rather than "MUST".(desirable to
    	align w them) - Hal will check into it.
    
        Bill: need verbage for considering deprecation to give people
    	ready alerts
    
        Hal: should avoid new policies w old stuff.
    
        Erik: uses "deprecation" more in sense of "legacy features".
    
        Erik: would like to have 3.0 full list, and say "2.0, as well"
    	is still mandatory
    
        Erik: do we want to refer to errata?
    
        Hal: yes, errata should be the basis for 3.0.
    	
        Hal: 2.0 chapter about conformance chapter
    
        Erik: need to go thru 2.0 conformance list and see if makes sense
    	and ensure it all is meaningful.
    
        Erik/Hal: 2 models: "3.0 builds on 2.0"; in prev discussions 3.0
    	impls should be able to fcn as 2.0 impls - Hal is it either/or
    	or is it one or other.
    
        Erik: doesn't want full 2.0 impl reqt. 
    
        Discussion will continue, proposals to be submitted to list, incl
         item from Bill on other stds orgs practices
    
    
       Attribute validity times   
        http://lists.oasis-open.org/archives/xacml/200901/msg00064.html
    
        Rich: spec needs to beef up its pointing this out about what
    	characteristics attrs have when submitted to canonical form.
    	i.e. when context handler translates native form to 
    	xacml canonical, the attr may have additional context that
    	is meaningful in terms of the validity of the attr - that
    	context may be of interest to admins and may be possible
    	to be included in admin tools such as PAP when attr defns
    	to be included in policies is established.
    
        Hal: need to keep a sense retaining accuracy of subject - in the
    	delegation profile - we talked about metadata (Rich: possibly this
    	statement?: "This represents the fact that the context handler 
    	can fill in attributes in the request context. (The details of 
    	how the context handler found the administrator attribute depend 
    	on the PDP implementation and the available attribute sources in 
    	the particular implementation.)"
    
     Carried over from previous meetings:
    
       Request Context in SAML Profile: which attrs should be returned 
        http://lists.oasis-open.org/archives/xacml/200901/msg00014.html
        - deal w wording next week.
        Rich pointed out, off list, that adding phrase, "supplied by the PEP"
         to "A conforming PDP MAY omit those XACML Attributes, supplied by 
         the PEP, ..." would help disambiguate the possibilities of what
         attrs are being referred to that could be omitted, since there
         were none left that could be omitted in previous sentence.
    
    
       Hierarchical profile
        http://lists.oasis-open.org/archives/xacml/200901/msg00033.html
    
        Rich: no change - still has action to post to list
    
    
       Multiple Decision Request Proposal
        Consolidation and refs to emails for current state of proposal:
         http://lists.oasis-open.org/archives/xacml/200901/msg00055.html
        Most recent proposal and objection on correlation problem:
         http://lists.oasis-open.org/archives/xacml/200901/msg00058.html
         http://lists.oasis-open.org/archives/xacml/200901/msg00060.html
    
        Hal: posted scheme and Erik said scheme wouldn't work;
         2 issues: 
          1. correlation; use include in resp attr val in response
    	if inputs not unambiguous it is responsiblity of req builder
    	 to put in whatever they need.
          2. how do we express what items to create virtual req context
    	for a single decision within multi-request
    
    	 a. use xml refs
      	 b. use attrs for matching
    
    	Hal: just using xml:id more straight forward
    	Erik: correlationId - get multiple results
    	Hal: xpath alternative don't need the ref
    	Erik: can send in pile of attrs where each contains xml
    	Erik: should do xml:id for inputs; for outputs use incl in resp
    	 problem in setting up request is doing type matching
    	Erik: 2 correlations: input and output xml:id ok on input but
    	 would break on output, that is ok.
    	Hal: we have rough consensus: Erik has some thoughts in mind
    	 to put something together
    
    	
    
       RBAC Profile
        Darran volunteered to create a proposal to address 
        use cases he believes may be pertinent to this 3.0
        Profile. 
    
    	Darran will try for next week to have something
    	 to consider.
    
       XSPA (Comment List)
        Hal suggested that there is a better source for HL7 
        reference.
    
    	Hal: Refs: constructs ref'ing HL7 - is there more 
    	 authoritative ref than going to interop lists.
    
    	David: what comments need to be addressed:
    	Hal: only officially comments to public review list
    	 and for those need to show disposition of each,
    	 w possible short follow up review.