OASIS eXtensible Access Control Markup Language (XACML) TC

Minutes for 8 March 2012 TC Meeting

  • 1.  Minutes for 8 March 2012 TC Meeting

    Posted 03-14-2012 16:07
    Time: 13:00 EST (GMT-0500) Tel: 513-241-0892 Access Code: 65998 Minutes for 8 March 2012 TC Meeting: (Thanks to Richard Hill of Boeing for providing the details for the minutes which are included here) Note: next meeting: March 22, 2012 1PM EDT Note: EDT is now in effect in US and equals GMT-0400 since different countries go to *DT on different dates there may be confusion w mtg times next few weeks; please try to figure local time vs EDT, which is GMT-0400, which will be in effect starting next mtg. I Roll Call& Minutes Roll Call: Voting Members Crystal Hayes The Boeing Company Richard Hill The Boeing Company Rich Levinson Oracle Hal Lockhart Oracle Remon Sinnema EMC Danny Thorpe Quest Software Paul Tyson Bell Helicopter Textron Inc. Members Abbie Barbir Bank of America Jan Herrmann Siemens AG Approve Minutes: 23 February 2012 TC Meeting http://lists.oasis-open.org/archives/xacml/201202/msg00017.html * vote on minutes: approved II. Administrivia RSA InterOp Status - review conference highlights * RSA interop - members comments good. rich: mentioned that the Boeing contribution was extremely useful and demonstrated the concept of defining "standard attributes" as defined in the IPC Profile, which enables "integration" of all the backend resource documents under a common representation umbrella independent of the technological details of the documents and their repositories. US Govt: Prog Mgr for the Information Sharing Environment (PM-ISE) http://lists.oasis-open.org/archives/xacml/201202/msg00045.html * ISE program; Scott McGrath ; No comments. above email has attached 12-pg document describing PM-ISE ITU Presentation (SAML/XACML) Call was on 2/27: anymore info? http://lists.oasis-open.org/archives/xacml/201202/msg00015.html * Abbie: gave update on ITU supplier tool. Correspondent tool, xacml, Bank of America - Abbie: Needed to determine if xacml v3 core spec will be approved by mid July? (there is window on 4 yr ISO cycle of approvals that needs to be met) - Hal: take 4 month process to finalize and approve. 60 day review for member review. XACML Media Types Initial Document w one media type - Ray: comments requested http://lists.oasis-open.org/archives/xacml/201202/msg00046.html Comment from Paul: http://lists.oasis-open.org/archives/xacml/201202/msg00048.html Version parameter: Ray,Bill: http://lists.oasis-open.org/archives/xacml/201202/msg00028.html http://lists.oasis-open.org/archives/xacml/201202/msg00030.html Background on IANA Registration: http://lists.oasis-open.org/archives/xacml/201202/msg00008.html - propose a single media type, add optional version parameter. Ray: clarified that single type was to show general format for each media type, and when agreed, more types can be added as needed. - Hal: careful about versioning. PDP might get req and response in a different format. - Paul: recommends finishing media types; need to distinguish between v2 and v3. Legal RuleML Uploaded: any updates on activities? http://lists.oasis-open.org/archives/xacml/201202/msg00009.html http://www.oasis-open.org/apps/org/workgroup/legalruleml/download.php/45125/latest/XACMLintro.odp * Legal RuleML: Paul gave update; Rule ML progressing with core spec. May not be a big impact REST Profile of XACML v3.0 Version 1.0 Uploaded: discussion: http://lists.oasis-open.org/archives/xacml/201203/msg00002.html http://lists.oasis-open.org/archives/xacml/201202/msg00047.html http://lists.oasis-open.org/archives/xacml/201202/msg00010.html * Rest profile status: - Paul: made comments that may extend it further than what others may have in mind. - Paul: asks members to review comments and consider. Profile proposal: On-permit-apply-second Combining Algorithm http://lists.oasis-open.org/archives/xacml/201202/msg00013.html http://www.oasis-open.org/apps/org/workgroup/xacml/download.php/45187/latest/xacml-3.0-combalgs-v1.0-wd01.doc * Profile proposal: - Erik's proposal on combining algorithm. - Hal passed over on it. (since Erik sent regrets for today's mtg) III. Issues Core (minor typos/questions): Remove erroneous comma: http://lists.oasis-open.org/archives/xacml/201202/msg00029.html - Ray commented extraneous comma needs removal. Remove bold,italic: http://lists.oasis-open.org/archives/xacml/201202/msg00043.html - used "action" in an informal way. message 43. List of combining algs: http://lists.oasis-open.org/archives/xacml/201202/msg00041.html - Normative language is out of date. Ray good with Erik's suggestion. Reuse of rules/PAP: http://lists.oasis-open.org/archives/xacml/201202/msg00024.html - sec 2.2; Ray; having rule ref; policy was the center of administration. - language is hold over from previous version. - Hal: suggest removing "use of tools". Need consensus XACML v3.0 Open Items Issues list: http://lists.oasis-open.org/archives/xacml/201202/msg00001.html Issues discussions: Issue #3: Combining Algorithm Issue #4 Context Handler Ray proposal and follow-up comments: http://lists.oasis-open.org/archives/xacml/201202/msg00040.html - Hal: debate is about arch definitions; doesn't object to tighten up language. - ??? comment: Introduce new component; context handler can also add context values to request. - Paul: obligation and advise handling as separate. - Hal: context handler for formatting, etc...; lines drawn for logic. all definitions cover their respective responsibilities. - Paul? context is a bag of attributes, first attribute needs to be fully populated and not changed. - Paul& Hal discussed RAA of components. message 38 of Feb. Erik's approval for Paul’s wording. - Hal approves Paul’s suggestion on how to proceed. - ???; comments: 1.) can cause improbability issues. 2.) can context be extended at runtime? i.e.; obligation telling pep how to do it. - Hal; separate the obligation and advice handling issues from the general context handler architecture issue.; ...adding attributes at a later time. - Rich: context plays a part in profiles by taking req from a structure into increments to pdp. Missing: wording misses this. - Rich: what context needs to contain i.e. one collection of attributes per category. Definition in arch is loosely defined. - Paul: Doesn't seem complete in defining arch pdp components? - Paul: need to be clear about what is being done with each component of arch. - Paul: fix wording to cover some cases. suggests limited changes. Issue #8 Schema Anomalies ("choice element" or "Policy w no Rules") recent discussion focus on whether combining algs render issue moot: http://lists.oasis-open.org/archives/xacml/201202/msg00044.html - summarize: rich: existing schema is troubling i.e. zero rules - intent of allowing not clear; schema stands for now... don't want to impact things now, but still needs review. key issue: there is single schema group that collects unrelated concepts and ties them together in inexplicable ways - rules - variable definitions - combining parameter collection elements. - Hal: what guidance doe we provide with a policy with no rules; put everyone on notice on this to look. - Hal: may need to move to weekly meetings to wrap up issues like this.