OASIS eXtensible Access Control Markup Language (XACML) TC

Minutes 16 July 2009 TC Meeting

  • 1.  Minutes 16 July 2009 TC Meeting

    Posted 07-16-2009 15:29
    Proposed Agenda for 16 July 09 XACML TC Meeting:
      Time: 10:00 am EDT
      Tel: 512-225-3050 Access Code: 65998
    
       Note: GeoXACML Presentation Today: See Details Below
    
    10:00 - 10:05 Roll Call & Approve Minutes
       2 July 2009 TC Meeting
       http://lists.oasis-open.org/archives/xacml/200907/msg00004.html
    
    Erik Rissanen
    Paul Tyson
    Bill Parducci
    Rich Levinson
    Hal Lockhart
    Seth Proctor
    David Staggs
    Duane DeCouteau
    
    Gareth Richards
    
    Guest: Jan Herrmann 
    
    	Have quorum
    
    10:05 - 10:15 Administrivia
    
       Discuss Agenda: As normal, issues are below: unless there are items that
       need immediate attention, it is suggested that, aside from announcements,
       we delay issues until next time and proceed with the presentation.
    
       Concordia/Catalyst - Identity Workshop (July 27, San Diego)
       http://projectconcordia.org/index.php/Catalyst_pre-conference_workshop_agenda
       http://lists.oasis-open.org/archives/xacml/200907/msg00005.html
    
       Concordia/Catalyst - July 27-31 (San Diego) - 
       Invite for informal get-together for TC members and others
       http://lists.oasis-open.org/archives/xacml/200906/msg00024.html
    
       Open Document Format for Office Applications Document Controls Profile 
       (09-06-26-proposal00079) uploaded
       http://lists.oasis-open.org/archives/xacml/200907/msg00003.html
    
       Export Control - U.S. (EC-US) 
       (xacml-3.0-ec-us-v1-spec-cd-01-en.doc) uploaded
       http://lists.oasis-open.org/archives/xacml/200907/msg00006.html
    
       XSPA Profile of XACML v2.0 for Healthcare 
       (xacml-xspa-1 0-cd04.doc) uploaded
       http://lists.oasis-open.org/archives/xacml/200907/msg00013.html
       TBD: TC authorize a vote to promote the Committee
        Draft with these edits to Committee Specification 
    
    	Take vote for Mary to create a ballot
    	 TC agrees chgs not substantive
    	David moves chgs not substantive and that electronic
    	 vote
    	Duane seconds
    	No discussion
    	Any objections to unanimous consent
    	Erik: any refs that need updating
    	Hal: no other docs refer to this, does this refer to others
    	 amend to say we will adjust refs to point to updated refs
    	 at time of release.
    	Dave amends
    	Duane seconds
    	Any objections for ballot w amendment
    	No objections
    	It carries
    
    
    10:15 - 11:00 Presentation
       (As indicated at last TC mtg/minutes, we have invited presenter.
        Slides are available from link below, and TC members are advised
        to review prior to presentation, so questions and comments 
        might be prepared in advance)
    
       Jan Herrmann (Chair: GeoXACML SWG) will present and discuss:
       Design Options for GeoXACML:
       Access Control for OGC Web Services with (Geo)XACML
       http://lists.oasis-open.org/archives/xacml/200906/msg00023.html
       Updated presentation at:
       http://lists.oasis-open.org/archives/xacml/200907/msg00016.html
    
    
    	Jan introduces xacml
    	slide  1 - Title/credits
    	slide  2 - introduce to ways OWS data represented/ pre/post
    	slide  3 - fine grain, content dependent, spatial, env-ctx-dep
    	slide  4-7 - examples of rules
    	slide  8 - pre process both req & rsp (i.e. ws rsp not pdp rsp)
    	slide  9 - hi level arch req/rsp both go thru pep
    	slide 10 - 2 approaches: attr-desig, attr-sel
    	slide 11 - attr-des; destroys structure, atomic data
    	slide 12 - ex shows attr-des probs, bldg objects ambiguities
    			generate coarse grain objects; lose ref info			
    	slide 13 - also can't use w/o intro of lots of URNs
    	slide 14 - conclude attr desig not good enough
    	slide 15 - propose attr selector, no URNs, 
    		   	no attr instantiate in PEP
    			conclude: need attr sel
    			another doc link on portal
    	slide 16-18 skipped; old web svc kvp encoding (not in new slides)
    	slide 19 - how to write rules
    	slide 20 - right side websvc response; need to apply rules
    			on what can be shown to user
    	slide 21 - xpath predicates; limited expressiveness for doing
    			comparisons etc.; filter not possible
    	slide 22 - mult/hier prof approach; pep gen global acdr, referring
    		 	to resources; res-id pts to root; scope is all
    			descendant nodes; pdp will derive ind requests;
    			scope deleted, not needed; prelim
    
    			slides in pres mode see ids changing
    			if all rules ref feature members don't need to go
    			down all tree branches
    
    			reg expr refer to featue member nodes; can use attr
    			 selector;
    
    	slide 23 - summary of advantages: can use all xacml/geoxacml fcns;
    			flexible use of pointers;
    			performance; looks difficult but can be optimized
    	slide 24 - xpath expr analysis
    	slide 25 - xpath node match: same limits as attr-selector
    	slide 26 - summary capabilities of options
    	slide 27 - post processing limits
    	slide 28 - pre-process limits; object type: building, props: owner,
    			price, location; filter can't be used properly
    	slide 29/26 - pep adds obligation; query rewrite to backend by pep
    	slide 30/27 - advantages: avoid post processing issues; rewritten
    			queries guarantee filter data not returned
    			disadvantages; unexpected svc behavior
    	slide 31/28 - wfs lang does not allow filters; need to do 2nd ac step
    	slide 32/29 - both approaches have +,- depends on semantics of appl etc.
    	slide 30 (new only) - recommendation; order of params, etc
    			new "category" of attrs action/res combo?
    			attr bags
    	slide 31 (new only) - more recommendations - eng report is public
    			and we can review. hard to write chg requests; would
    			rewrite profiles completely; might be better to have
    			a web svc profile containing these two; more general
    			non-xml resources; so generic so many ways to read
    			profiles; should limit generality
    			if do geo profile; how to use underlying profiles
    
    
    	Erik: re: new p 78,66 Jan: allows element nodes gone;
    	Hal: we should discuss on list, possibly Jan can have another visit
    		after we have processed the info further and/or address
    		questions raised on list (TBD)
    	Hal: meeting adjourned 11:20
    	
    
    10:15 - 11:00 Issues (propose to postpone discussion until next mtg)
    
       relax-ng grammar for xacml
       http://lists.oasis-open.org/archives/xacml/200907/msg00002.html
    
       XSPA Profile of XACML v2.0 for Healthcare / Action Item from 2-Jul-09 
       (has updated attached spreadsheet)
       http://lists.oasis-open.org/archives/xacml/200907/msg00009.html
    
       x.500 (new concerns on same issue from prev mtgs)
       http://lists.oasis-open.org/archives/xacml/200907/msg00010.html
    
       Comments on: Open Document Format Office Appl Controls Profile 
       http://lists.oasis-open.org/archives/xacml/200907/msg00012.html