OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Minutes 02 July 2009 TC Meeting

    Posted 07-02-2009 14:50
    1. Roll Call
        Hal Lockhart (Chair)
        Bill Parducci (Co-Chair, minutes)
        Erik Rissanen
        Rich Levinson
        Anil Saldhana
        Seth Proctor
        John Tolbert
        David Staggs
    
      Voting Members 8 of 10
    
      Non-Voting
        Paul Tyson
        Richard Franck
    
    2. Administrivia
        Vote to approve Minutes from 18 June 2009 TC Meeting
        APPROVED unanimously
    
        OASIS IDtrust Member Section Steering Committee Elections now open.
    
        Intellectual Property Control (IPC) committee draft uploaded.
    
        IDtrust/NIST event end of September, deadline for submissions
        July 10.
    
        Concordia/Catalyst in San Diego the last of July. There will be a
        sessions focusing on authz.
    
        Hal reviewed the context of the slides on Design Options for  
    GeoXACML.
        He has suggested that the TC review the material and comment. Hal  
    will
        invite the author to the next TC meeting.
    
    3. Issues
        x.500
        Bill offered that David Chadwick's proposed text is a more precise
        statement of the intended functionality and suggests that we adopt  
    it
        as a clarifying edit.
    
        "urn:oasis:names:tc:xacml:1.0:function:x500Name-match
         This function shall take two arguments of
         'urn:oasis:names:tc:xacml:2.0:data-type:x500Name'
         and shall return an 'http://www.w3.org/2001/XMLSchema#boolean'. It
         SHALL return “True” if and only if the subtree specified by the
         first argument matches the root of the subtree specified by the
         second argument, when compared using x500Name-equal and the length
         of the first subtree is larger than or equal to the length of the
         second subtree."
    
        Obligations (comments list)
        A comment was raised on the comments list. Hal suggested that this
        be taken into consideration for "Obligation family" work in future
    
        Applied XACML question/scenario
        A Use Case was presented on the users list for consideration. Paul
        commented that this issue is largely architectural. There was some
        discussion on approaches to resolve in the call.
    
        XSPA Edits
        David noted that some typos have been identified in the XSPA Profile
        and requested clarification on how to best address them. Hal
        recommended that a Committee Draft with the corrections be made.
    
        VOTE
        David moved that the TC authorize a vote to promote the Committee
        Draft with these edits to Committee Specification once it has been
        posted to the list.
    
        motion: David
        second: John
        vote: APPROVED unanimously
    
        Paul noted that a revision to the Export Compliance Profile is
        ready. John will review and upload it to the TC site for TC
        consumption.
    
        John will post a link to the list with references to the EC and IPC
        Profiles from his work with the Open Data Format.
    
    meeting adjourned.


  • 2.  Concordia Identity Workshop (july 27)

    Posted 07-02-2009 15:09
    I see this was referenced in the minutes - here is the link for agenda 
    and registration - there is no charge but the room has a limited capacity
    
    http://projectconcordia.org/index.php/Catalyst_pre-conference_workshop_agenda
    


  • 3.  XSPA action item from 02 July 2009 TC Meeting

    Posted 07-08-2009 15:52

    Attachment(s)

    doc
    xacml-xspa-1 0-cd03.doc   267 KB 1 version


  • 4.  The X500 match function

    Posted 07-15-2009 12:28
    All,
    
    The proposed text below for the x500 match function from the last 
    meeting minutes reverses the behaviour of the two arguments compared to 
    the current specification. And I am not sure I like the term "root of 
    the subtree". A root is typically a single node, not a sequence of 
    nodes, as in this case.
    
    BTW, I have doubts about making any change to this definition. I think 
    the current definition is quite clear, and if we change it, somebody may 
    think that we have changed the behaviour. But if we think it needs 
    clarification, then I propose this instead:
    
       "urn:oasis:names:tc:xacml:1.0:function:x500Name-match
        This function shall take two arguments of
        'urn:oasis:names:tc:xacml:2.0:data-type:x500Name'
        and shall return an 'http://www.w3.org/2001/XMLSchema#boolean'. It
        SHALL return “True” if and only if the subtree specified by the
        first argument matches, beginning at the root, the subtree specified 
    by the
        second argument, when compared using x500Name-equal and the length
        of the second subtree is larger than or equal to the length of the
        first subtree."
    
    BTW, there is something wrong going on here. The function name is 
    "...:xacml:1.0:...", but the data type of its arguments is 
    "...:xacml:2.0:...". It's like that in the 2.0 spec as well. Does anyone 
    know what's going on here?
    
    Best regards,
    Erik
    
    Bill Parducci wrote:
    >
    > 3. Issues
    >    x.500
    >    Bill offered that David Chadwick's proposed text is a more precise
    >    statement of the intended functionality and suggests that we adopt it
    >    as a clarifying edit.
    >
    >    "urn:oasis:names:tc:xacml:1.0:function:x500Name-match
    >     This function shall take two arguments of
    >     'urn:oasis:names:tc:xacml:2.0:data-type:x500Name'
    >     and shall return an 'http://www.w3.org/2001/XMLSchema#boolean'. It
    >     SHALL return “True” if and only if the subtree specified by the
    >     first argument matches the root of the subtree specified by the
    >     second argument, when compared using x500Name-equal and the length
    >     of the first subtree is larger than or equal to the length of the
    >     second subtree."
    
    


  • 5.  Re: [xacml] The X500 match function

    Posted 07-16-2009 04:16
    I think that the input we have received from the list(s) indicates  
    that a clarification is necessary. Erik's proposed version looks good  
    to me.
    
    b
    
    On Jul 15, 2009, at 5:28 AM, Erik Rissanen wrote:
    
    > All,
    >
    > The proposed text below for the x500 match function from the last  
    > meeting minutes reverses the behaviour of the two arguments compared  
    > to the current specification. And I am not sure I like the term  
    > "root of the subtree". A root is typically a single node, not a  
    > sequence of nodes, as in this case.
    >
    > BTW, I have doubts about making any change to this definition. I  
    > think the current definition is quite clear, and if we change it,  
    > somebody may think that we have changed the behaviour. But if we  
    > think it needs clarification, then I propose this instead:
    >
    >  "urn:oasis:names:tc:xacml:1.0:function:x500Name-match
    >   This function shall take two arguments of
    >   'urn:oasis:names:tc:xacml:2.0:data-type:x500Name'
    >   and shall return an 'http://www.w3.org/2001/XMLSchema#boolean'. It
    >   SHALL return “True” if and only if the subtree specified by the
    >   first argument matches, beginning at the root, the subtree  
    > specified by the
    >   second argument, when compared using x500Name-equal and the length
    >   of the second subtree is larger than or equal to the length of the
    >   first subtree."
    >
    > BTW, there is something wrong going on here. The function name is  
    > "...:xacml:1.0:...", but the data type of its arguments is  
    > "...:xacml:2.0:...". It's like that in the 2.0 spec as well. Does  
    > anyone know what's going on here?
    >
    > Best regards,
    > Erik
    >
    > Bill Parducci wrote:
    >>
    >> 3. Issues
    >>   x.500
    >>   Bill offered that David Chadwick's proposed text is a more precise
    >>   statement of the intended functionality and suggests that we  
    >> adopt it
    >>   as a clarifying edit.
    >>
    >>   "urn:oasis:names:tc:xacml:1.0:function:x500Name-match
    >>    This function shall take two arguments of
    >>    'urn:oasis:names:tc:xacml:2.0:data-type:x500Name'
    >>    and shall return an 'http://www.w3.org/2001/XMLSchema#boolean'. It
    >>    SHALL return “True” if and only if the subtree specified by the
    >>    first argument matches the root of the subtree specified by the
    >>    second argument, when compared using x500Name-equal and the length
    >>    of the first subtree is larger than or equal to the length of the
    >>    second subtree."
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe from this mail list, you must leave the OASIS TC that
    > generates this mail.  Follow this link to all your TCs in OASIS at:
    > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php