OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Minutes: 25-Oct-07 XACML TC Meeting

    Posted 10-26-2007 03:14
    1 Roll Call:
    
        To be supplied
    
    2 Administrivia:
    
        Minutes from 11-Oct-07 approved:
    
            http://lists.oasis-open.org/archives/xacml/200710/msg00025.html
    
        Review plans for RSA Interop
    
            Hal: Tentative confirmations from Oracle, IBM, Axiomatics,
            Securent and Sun. Dee talked to Tony in Barcelona. Need to
            get draft together quickly.
    
            Dave Staggs: got email from Tony re: interop. Possible
            health care demo. Involves privacy info.
    
            Hal: Tony- more extensive policy exchange
    
            Hal: Dee - wants draft in week or so.
    
            Hal: BEA will not commit unless minimal changes from existing
            Interop.
    
            Some discussion on multiple TC scenarios, ex ws-fed.
    
    3 Issues:
        Issue 87:
           Rich: Need xpath feedback from others - i.e. someone who
           "knows" what the xpath constructs are "supposed to be"
    
            Rich to provide specific proposal for changes. Options of
            required optional/ resource:xpath in attr designator. (will
            be based on deduction of intent of xpath in spec unless
            specific feedback provided)
    
            Hal: (on related topic raised in addition to the core of
            issue 87) final step to compute decision, PDP rely on nothing except
            what's in request context - Niko mentions date/time, whatif
            consensus, send in req - will this be allowed next week,
            pdp will compute it. When CH finishes, PDP only considers
            what's in context. See: first of msg pair on Sat - contradiction
            PDP must verify attr as accurate - other than the current
            time. Make sure it's consistent everywhere. Niko's msg in
            xacml-dev list (comments above are re: last para in the
            following msg):
    
              
    http://lists.oasis-open.org/archives/xacml-dev/200710/msg00007.html
    
           (maybe Hal could elaborate a bit more - I am uncertain how
           "current-time" could be "next week". I am also uncertain looking
           at the above message exactly what is at issue, but I would like 
    to know
           more about the "what if" capability - i.e. how would one set it up?)
    
        Issue: "An idea regarding decision explanation"
    
            Erik: Annotating attrs: - explanation of what can be done
            about it - many ways to respond. Policies that didn't
            match. Differentiate between attrs that users can do
            something about.
    
              http://lists.oasis-open.org/archives/xacml/200710/msg00029.html
    
            ex. in above link: flight - reach a point where you PDP tests 
    whether
             permission (as opposed to checking if Target is applicable), 
    return all
             the info - in general much to much and user will not know what 
    to do
    
            Erik/Hal: Similar to obligations.
    
            Rich: the 3 reasons (why not similar to MissingAttributeDetail) 
    are still
            subject to discussion:
              http://lists.oasis-open.org/archives/xacml/200710/msg00032.html
            Basically, MustBePresent (lines 2614-2617 and related) can be used
            to force Indeterminate to be returned if attr missing. Putting 
    aside the
            possible options implicit in lines 3321-3323, lines 3323-3326 
    indicate
            that the attr info MAY be listed in the Response (presumably Policy
            determined and Policy writer would designate conditions, let's 
    assume
            trying to accomplish this get selected info back to user) and 
    section
            7.15.3 gives guidelines on how to do this. My point is that with 
    these
            controls available, one should be able to come up with a technique
            of the Policy Designer knowing which attr to flag to the user and
            use this technique to do it. A further control would be in addition,
            to use an Obligation to tell the PEP that if there is 
    MissingAttrDetail,
            then do what is necessary to inform the user and then possibly 
    resubmit
            the request. (This request re-submission appears to be an intended
            capability as per lines 3601-3603 of sec 7.15.3) I think this 
    addresses
            the 1st 2 reasons in the above email. The 3rd reason, I agree, 
    is not
            handled by this mechanism, because attr is not "missing" in that 
    case.
    
           Hal: too many Obligation reqts implicit here (in email, not 
    necessarily
             the above case). Gets complicated.
            Bottom line: need admin to tag specific things as useful to
            the users.
            Use Target to match on Resource, Action.
            Multiple missing attrs - Hal - if you can't it's a bug.
    
            Rich: May tie together w ws-xacml.
    
            Erik - another reason is if you have an extra attr could
            be the problem. Might need a PresentAttrDetail
    
            Hal: take 80/20 approach, we can't solve all problems, but there may
              some value of some of these ideas.
    
          issue 62 Update to policy distribution protocol.
           http://lists.oasis-open.org/archives/xacml/200710/msg00034.html
    
            Hal: Naked policies or policies wrapped in Assertion - thinking
            both are required.
    
            Rich: policies - issuer (XACML 3.0) provides natural structuring -
            Hal:  provides several other ways, but does not want to cast any
            particular one as automatic.
    
    Meeting adjourned approx 11:05 AM
    
    


  • 2.  RE: [xacml] Minutes: 25-Oct-07 XACML TC Meeting

    Posted 10-26-2007 14:41
    Added Roll
    
    >