OASIS eXtensible Access Control Markup Language (XACML) TC

Minutes of OASIS XACML TC meeting: 17-Jul-08

  • 1.  Minutes of OASIS XACML TC meeting: 17-Jul-08

    Posted 07-17-2008 15:44
    Minutes of OASIS XACML TC meeting: 17-Jul-08
    
    Time: 10:00 am EDT
    Tel: 512-225-3050 Access Code: 65998
    
    Proposed Agenda:
    
    10:00 - 10:05 Roll Call & Minutes Approval
     Vote on Minutes from 3 July TC Meeting (Corrected)
     http://lists.oasis-open.org/archives/xacml/200807/msg00024.html
    
    Roll call:
    
    Voting:
        Rich Levinson
        Seth Proctor
        Anil Saldhana
        Erik Rissanen
        Tony Nadalin
        Bill Parducci
    	6 of 8 voting is quorum
    
    Non-voting:
        Anil Tappetla
        Duane DeCouteau (gains voting status)
    
    OASIS:
        Jamie Clark
    
    
    Minutes approval:
    
        Corrected minutes of prev mtg (7/3) Approved.
    
    
    10:05 - 11:00 Issues
     Attribute Designator Parameters
     http://lists.oasis-open.org/archives/xacml/200807/msg00008.html
    
        Anil T. plethora of attrs - fcns used by CH vs PDP.
        Erik: doesn't think this level of detail in PDP, rather
    	in the CH part of env
        Anil: concern about large number of config type attrs
        Seth: agrees context handler PDP - retrieve attrs different 
    	ways; arg for config details as part of policy, if can't
    	config ch w attr; interested in real world use case
        Anil: can provide examples; possible
        Seth: agrees w Erik that this is ch config info, not to be
    	in policy; why config something for individual attr?
        Anil: ch config is separate issue
        Seth: ch has to get parameter, where does it get helper info?
        Anil: it is more than just ch issue
        Seth: never come across use case why config for ch must be
    	part of policy
        Anil: example sent out
        Defer discussion to next meeting get more input
    
    
     #88 General Xpath functions
     http://lists.oasis-open.org/archives/xacml/200807/msg00016.html
    
        Erik: proposed by Craig - new fcns - gave up on export/import,
    	now proposing (should be 3.0) adding; couple open issues
    	do we need uri variance? should substring be able to 
    	extract to end of string? case conversion of international
    	chars not easy
        Bill: URI handling different from strings, regex matches etc.
    	- also value in neg index, chomping from back of string,
    	back of string is often valuable for access ctl;
    	no idea how to approach case sensitivity;
        Erik: case conv complex;
        Bill: maybe case conv too much;
        Bill: edit spec w these additions,
        Rich: what is xpath story on 3.0
        Erik: this is just new fcns
        Bill: more broad read
        Bill: Erik will repost proposal; impls have to figure out
    	the case issue
        Bill: maybe include 3 digit lang code? 
        Erik: maybe locate parameter added to string
        Seth: Java used to be a little confused, but now locale-based
    	and can optionally specify locale.
        Rich: maybe this is metadata similar to Anil's prev issue
    	on "helper parameters"
        Seth: maybe default for whole policy; but this metadata
    	is how to read strings as opposed to prev issue that
    	was more explicit
        Bill: is there problem raising locale to policy level attr?
        Erik: diff attrs from diff locales
        Bill: Erik will propose
    
     Duration Data Types
     http://lists.oasis-open.org/archives/xacml/200807/msg00017.html
    
        Bill: this issue derived from something Seth originally
    	proposed?
        Seth: maybe
        Bill: could handle "today - 21 years > subj.birthday" type
    	discussion?
        Erik: concerns that xacml incl data types that are restrictions
    	on data types, but does not incl more general type; inclined
    	to keep as is.
        Erik: why not ymd instead of just ym
        Bill: Seth's original note in 2003 - points out may or may not
    	solve other needs but didn't have any then; so probably
    	ok w what we have
    
     XACML Typos/ ipAddress, dnsName functions
     http://lists.oasis-open.org/archives/xacml/200807/msg00021.html
    
        Erik: list of fcn identifiers in conformance section missing
    	items that are in text that defines fcns themselves-
    	probably typo; just add the "missing" identifier
        Erik: other part - do we need set fcns for ip addr and other?
        Bill: is regex match sufficient
        Erik: 2 use cases: policy want to spec ip addr ok w regex
      	but do we want intersection of tags of ip addrs?
    	Probably not? scope?
        Erik: just update missing identifiers but don't deal w 
    	missing qualifiers