OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Minutes 16 April 2009 TC Meeting

    Posted 04-17-2009 00:22
    Date: Thu, 16-Apr-09
    Time: 10:00 am EDT
    Tel: 512-225-3050 Access Code: 65998
    
    Minutes for 16 April 2009 TC Meeting
    
    Proposed Agenda:
    
    10:00 - 10:05 Roll Call & Approve Minutes
    
    Erik Rissanen    Axiomatics AB       Group Member
    Bill Parducci*   Individual          Group Member
    Rich Levinson    Oracle Corporation  Group Member
    Hal Lockhart     Oracle Corporation  Group Member
    Anil Saldhana    Red Hat             Group Member
    Seth Proctor     Sun Microsystems    Group Member
    John Tolbert     The Boeing Company* Group Member
    David Staggs     Veterans Health Administration  Group Member 
    
      Have quorum at start: 7/10
    
     - Minutes to approve: 9 April 2009 TC Meeting
       http://lists.oasis-open.org/archives/xacml/200904/msg00018.html
    
      Approved, no objection
    
    10:05 - 10:10 Administrivia
    
     - XACML v3.0 Specification Status
       http://lists.oasis-open.org/archives/xacml/200904/msg00020.html
       http://www.oasis-open.org/committees/document.php?document_id=32060&wg_abbrev=xacml
    
        The following specifications are targeted for Committee Draft status
        at the next meeting as well as to be marked for Public Review. This
        meeting will be held in one week (April 16) at the same time and
        number.
    
        * Core Specfication
        * Hierarchical Resource Profile
        * SAML Profile
        * Administration and Delegation Profile
        * Digital Signature Profile
        * Multiple Resource Profile
        * Privacy Policy Profile
        * Core and hierarchical role based access control (RBAC) Profile
    
      Have final core and 7 profile specifications
    
      Motion to move docs to CD:
      Bill moves
      Erik seconds
    
      Any objections to CD: none
      Vote carries
    
      Motion to public review:
      Erik moves
      John seconds
    
      Any objections to public review: none
      Vote carries
    
      Need doc, html, pdf
      (if editable form not html, then need all 3 (incl editable)
    
      Need list of individual links to docs:
    
      Don't know until in repos what the link is.
     -> Hal: will get clarification from Mary
    
        Hal: Norm Walsh confirmed our use of xml:id
    
        Hal: we will send docs to Mary for formal formatting check.
    
        Hal: public review will auto-go to security in OASIS,
    	plus IETF, W3C, WS/I, ITUT, maybe NIST, OGC (geo-spatial),
    	maybe HL7 (healthcare), Concordia, TSCP (John will provide email).
    
        Hal: new profile draft on export control
    
    
    10:10 - 11:00 Issues
    
     - XACML Export Control -US profile draft
       http://lists.oasis-open.org/archives/xacml/200904/msg00019.html
    
      John: worked on w Paul Tyson, Bell Helicopter, export controls,
        need to define std attrs for international: nationality,
        control numbers from DOC, USML (munitions list, ITAR)
    
        std attrs for making export control decisions.
    
     - Public comments submitted for the XSPA profile of XACML
       http://lists.oasis-open.org/archives/xacml/200904/msg00021.html
    
        Finished public review
        Comments received above link
    
        David: RSA was important to getting public input
    
         Review xspa issues:
          1	Are gateways included? ACS is gateway.
          2	Diagnostic integers model: info holder does not relinquish
    	 control of any info - issue w pre-fetch - diagnostic images
    	 are too large
    
       Hal: responsibility to respond to people who made request,
         but possibly clarify doc to help people understand if the
         comment indicated party did not understand doc.
    
          3	Request context: how requests are mapped:
    	 Hal: this one borrowed mechanism from SAML, may not need
    	  to adjust doc but direct to underlying spec.
          4	Demo'd at HIMSS; do SAML, XACML, then they jump into how
    	  to do policies - here is how to identify patients; attr
    	  is provided, but up to individuals to identify mechanism
          5	Issue w text extracted from saml/xacml profile: basically
    	  said we don't return req in rsp.
    	 Hal: optional to return; David will incl note
          6 RSA 2008: defining attrs used for Dr Bob, created dissenting-
    	  subject-id - name of person being blocked. Would better
    	  describe dissenting-subject-id
    	 Erik: says he did original suggestion for dissenting
     	 David: masking plus additional info; can be better explained
    	 Hal: be careful; if user-id is different format, then may
    	  miss that person is supposed to be blocked.
    	 David: issue of NTI: should be number assoc w everyone
          6	Default normal confidentiality code: normal is default; could
    	  add text to make clearer.
          7	Mary working late - file name overwrites saml - will fix
          8 Links: incl Hal's response; if doc external provide link
    	 David will check.
          9 John M: comments in saml will affect xacml: Duane agreed, need to
    	  do some harmonization: Duane will provide email w details.
         10	John M: made broad stmt; David: this is interop profile w defined
    	  attrs; expect those attrs give scope required for this work.
    
      Hal: how did HIMSS conf interop go:
       David: we were in future directions portion: demo'd infrastructure of
        a hospital. NHIE will be infrastructure for attrs shipping around and
        have opt-out model; they were very interested in xacml manner of doing
        this; they want the more detailed decision model; Will be taking code
        from HIMSS, make publ avail; will have tool to hook into nationwide
        health info exchange network. NHIN used between health info xchg's;
        will put on set top box; hook system to box, which will plug in.
        
      Hal: will mention at RSA next week: David will send slide w relevant info.
       Hal: this will be part of new things happening w saml.
    
    
    - Meeting schedule:
    
        Hal: we've had an intense period, go back to every other week.
    	skip Apr 23 meeting
    	next meeting: May 7, then 2 week schedule
    
      Meeting adjourned: 10:53 AM EDT
    
    


  • 2.  RE: [xacml] Minutes 16 April 2009 TC Meeting

    Posted 04-17-2009 02:51
    Rich
    
    Please adjust the wording in your notes on the statement:
    
    "will put on set top box; hook system to box, which will plug in."
    
    to 
    
    "One cleaver suggestion that surfaced was to package the SAML/XACML
    functionality into a 'set top box' to simplify the complexities that
    might keep small medical practices from using the XSPA profile to plug
    into the NHIN."
    
    Stating that we have plans to roll out the XSPA profile in hardware at
    this point would probably have me in boiling water :-0
    
    Also change "NTI" to "NPI" (National Provider Identifier) [the NPI is a
    unique 10-digit identifier issued by HHS/CMS as mandated by the HIPAA
    legislation.]
    
    Also, near the bottom please change NHIE to NHIN (Nationwide Health
    Information Network).
    
    Thanks,
    David
    David Staggs, JD, CISSP (SAIC)
    Veterans Health Administration
    Chief Health Informatics Office
    Emerging Health Technologies