I Roll Call & Minutes
Attendees
Hal Lockhart (Co-chair)
Bill Parducci (Co-chair, minutes)
Anthony Nadalin
Argyn Kuketayev
Abbie Barbir
Rich Levinson
Prateek Mishra
Erik Rissanen
Anne Anderson
Seth Proctor
David Staggs
Quorum was achieved (76% per Kavi)
VOTE: Unanimous APPROVAL of minutes from 18 January 2007
II Administrivia
F2F locations
BEA offers to host in Burlington
Tony is still checking availability in Austin
Inter-op
Oracle and Securent have voiced interest in participating in the
Interop in June along with IBM. Hal believes BEA will also
participate. Hal will will send out an email to interested
parties to
begin the logistics process. The process requires an Inter-op
Coordinator. A request for a volunteer has been made.
General
Rich noticed an anomaly between the XACML 1.1 and XACML 2.0
specifications. There is a resource:xpath AttributeId
referenced in the Section 4.2.4 Rules examples in XACML 2.0,
but this AttributeId is defined only in XACML 1.0. It is
generally agreed that this is errata and should be added back
into XACML 2.0. The definition from XACML 1.0 is: "This
identifier indicates that the resource is specified by an
XPath expression.
urn:oasis:names:tc:xacml:1.0:resource:xpath"
Rich also asked about the state of the Obligations work referenced
earlier in the v3.0 process. Bill explained that he and Erik have
been working to come up with a common understanding and intend to
post the results of this discussion to the wiki.
Anne offered to post an overview of how
Obligations/obligations are handled currently in the XACML
Profile for Web Services.
III Issues
# 55 WS-XACML: Address policy references in a Requirements
element containing a PolicySet
ACTION ITEM: Anne to explain the problem and present a draft
solution to the list based on Option 3: Add an element for
including referenced policies and require that all referenced
policies must be included in this element. Seth pointed out
that policies included need to be tagged with the identifier
by which they are referenced.
# 56 WS-XACML: Add optional "Preference" XML attribute to
Apply element
Where more than one Attribute value can satisfy an Apply
element, Anne proposed that an optional element be added to
the Apply element to indicate whether "greater" values
(larger integer, later time, end of ordered set) or "lesser"
(earlier time, beginning of ordered set) values are
preferred.
APPROVED
# 57 WS-XACML: Restrictions on XPath expression to support matching
Attribute references
Anne proposed a restricted form of XPath expression that uses
absolute paths and didn't contain any query operators to
allow for correct intersections of AttributeSelectors. Anne
has researched the problem and is looking for additional
insight into the restrictiveness of this approach. Hal
pointed out that we are not the only ones with this problem
ACTION: TC members are encouraged to investigate. Anne will
contact the authors of a paper on the intersection of XPath
expressions to see if they have insights.
# 59 WS-XACML: Allow restricted regular expression functions
in XACMLAssertion
The group felt supporting regular expressions was useful, and
so use of intersectable regular expressions should be
supported.
ACTION: Anne and Bill to dig up the specification of basic
(intersectable) regex expressions and Anne to draft specific
proposal for the list.
#60 WS-XACML: Remove "XACML Authorization Token" and
"Conveying XACML Attributes in a SOAP Message"?
Anne proposed moving these two sections of the WS-XACML
profile to the SAML Profile, leaving only the XACMLAssertion
sections.
APPROVED: move these two sections to the SAML Profile.
#52-53 Indirect delegates issues
Erik proposed dropping indirect delegates from the
specification, pointing out that in a strict sense an
administrative policy can't prevent someone else from doing a
restricted action on behalf of an undesired indirect
delegate.
APPROVED: drop indirect delegates from the standard.
# 63 Generalizaton of multiple resources
STATUS: everyone look at this issue and discuss on list.
# 64 Treatment of administrative Deny
Proposal is that if an admin request evaluates to Deny on a
policy, the policy will be ignored.
STATUS: everyone look at and discuss on the list.
# NEW: Deny-Overrides:
http://lists.oasis-open.org/archives/xacml/200701/msg00020.html
STATUS: Erik to submit statement of a proposed new combining
algorithm. Discuss on list.
meeting adjourned.