Title: XACML Conference Call Minutes XACML Conference Call Date: Thursday, August 29, 2002 Time: 10:00 AM EDT Tel: 512-225-3050 Access Code: 65998 Summary Reviewed action items and all requested items were complete. Made progress on the XACML primer by setting a date to put together an outline of topics and asked for committee input. Discussed the issues list for technical changes. See voting section for results. Also, there will be no subcommittee meeting on Monday because of the holiday. Scheduling was also discussed and the 9/1 approval date of spec has been moved back to either 9/12 or 10/1 depending on how fast we can make progress on issues around function specifications. Action Items [All] Propose posting proposed solutions to list and table until next TC call. (Ongoing) [Tim] incorporate SAML split (delete) and editorial changes into a version 17 of the spec by Tuesday 8/27 (Partially complete) [TC] Vote on new wording of charter proposed by Hal [Michiharu] convert XSLT to minimal for used for conformance cases (Lower Priority - by 9/5) [Hal/Konstantin] XACML outline of contents to be proposed by 9/5 [Polar, Anne, others] Post use cases for arguments regarding issue 0007, Make request context Resource Attribute (and Subject) minoccurs =1 [Anne (RFC and X.500) and Michiharu ( XPath )] post pointers to function specifications of these to the list based off 0.8 document posted by Polar on 8/27 [Anne, mid-Sept 2002] Get comments to Tim on profile for using LDAP to store policies. [Anne, mid-Sept 2002] Update XML Digital Signature profile. [Anne, mid-Sept 2002] Send proposal for SAML changes based on our Context to XACML TC list. After TC review and modification, we will send it on to SAML. Deadline for this is SAML's deadline for finalizing their list for 2.0. [Tim] Separate SAML document to be created in Sept (Lower Priority) [Hal/Konstantin] XACML primer needs to be completed in Sept (Lower Priority) Votes Voted to accept minutes of 8/22 meeting The following issues were voted on and approved: 0002. [Anne] Add mandatory action-id attribute 0003. [Anne] Add optional action-namespace attribute 0004. [Anne] Add optional action :implied -action identifier 0005. [Anne] Change <Result> ResourceURI xml attribute to ResourceId 0006. [Anne] Add missing-attribute identifier for StatusCode 0010. [Anne] allow more than two arguments to "add" 0011. [ Carlisle ] state *Match is matched against AttributeValue 0012. [ Carlisle ] < AttributeSelector > in < SubjectMatch > should be [optional] The following issues were voted on and NOT approved: 0009. [Daniel] Function naming convention Proposed Agenda: 10:00-10:05 Roll Call and Agenda Review 10:05-10:10 Vote to accept minutes of August 22 concall
http://lists.oasis-open.org/archives/xacml/200208/msg00120.html 10:10-10:15 Review of Action Items (see 8/22 minutes) 10:15 - 10:55 Discussion of v0.16 technical change requests (all) 10:55 - 11:00 Discussion of schedule for Committee Spec ( Carlisle ) Roll Call Ken Yagen , Crosslogix Hal Lockhart, Entegrity Carlisle Adams , Entrust Konstantin Beznosov , Hitachi Michiharu Kudoh, IBM Steve Andersen, OpenNetwork Simon Godik , Overxeer Bill Parducci , Overxeer Polar Humenn , Self Anne Anderson, Sun Microsystems Gerald Brose, Xtradyne Prospective Members Piras Vilandai Thiyatarajan , Sun Microsystems Raw Minutes (taken by Ken Yagen ) Piras Vilandai Thiyatarajan asked to become a prospective voting member Vote to accept minutes of 8/22 call Michiharu to provide XPATH usage examples by end of day Friday 8/23 Complete Propose posting proposed solutions to list and table until next TC call. Ongoing [Anne, mid-Sept 2002] Get comments to Tim on profile for using LDAP to store policies. [Anne, mid-Sept 2002] Update XML Digital Signature profile. [Anne, mid-Sept 2002] Send proposal for SAML changes based on our Context to XACML TC list. After TC review and modification, we will send it on to SAML. Deadline for this is SAML's deadline for finalizing their list for 2.0. Tim will incorporate SAML split (delete) and editorial changes into a version 17 of the spec by Tuesday 8/27 Completed most of editorial changes and split. Updated 16e published Anne volunteers to pull out outstanding change requests from current mailing list Complete Hal to propose new wording of the last paragraph of charter before next Thursday. Complete Michiharu to convert XSLT to minimal for used for conformance cases (Lower Priority) Set date of next Thursday 9/5 Separate SAML document to be created (Lower Priority) Assigned to Tim, but no date set XACML primer needs to be completed in Sept (Lower Priority) Hal and Konstantin. What might it contain? Introduction and explanation of architecture with use of XML. Motivation for the feature - the intent. Useful to put together an outline of topics or abstract. Hal suggested exchanging list of topics before next meeting. Send any thoughts on topics for primer to Hal and Konstantin. Looking to end of Sept for first draft but will discuss outline and contents in next week or two. Discussion of technical changes ( 10:18 ) From Anne's email: Initial set of Change Requests from 8/22/02 . See email for rationale 0002. [Anne] Add mandatory action-id attribute Hal - believe this was voted on previously Anne - Defined a namespace for actions. Need an attribute for action name since everything is now attribute. Vote to approve passed 0003. [Anne] Add optional action-namespace attribute Vote to approve passed 0004. [Anne] Add optional action :implied -action identifier Where resource name implies the action. Would be value of action id attribute Vote to approve passed 0005. [Anne] Change <Result> ResourceURI xml attribute to ResourceId XML attribute in results called ResourceURI and in request called ResourceId so change both to ResourceID Vote to approve passed 0006. [Anne] Add missing-attribute identifier for StatusCode Optional for PDP. Is already included in latest draft Vote to approve passed 0007. [Anne] Make request context Resource Attribute minoccurs =1 Have to have at least ResourceId Is request does not specify ResourceId as attribute is it a valid request? It would be an invalid request by text interpretation of schema. Does it apply to every element? Does not apply to subject and action? Maybe that should be minoccurs =1 as well. Every request must identify the resource it is trying to gain access to. What if resource is account but don't know which account it is? Must write policy without subject id if cannot count on it being in every PDP. What if based on attribute of subject (I am a member of manager group)? Can't write portable policy if don't know what subject information will be supplied. Maybe ResourceId doesn't have to be there but there has to be some attribute of resource? If you mandate there will be a SubjectId and ResourceId , can write a portable policy that guarantees that information will be there. If will mandate something about resource, then you must specify identifiable attribute of subject. By definition, access request must say what want to access but not anything else such as subject information. What if request access to all classified documents? Then PEP is going to be evaluating a policy. Anne - propose postpone issue and people make a case on mailing list with use cases for either minoccurs =0 or 1 and Subject or Resource. Also, should every request come with ResourceId ? Postponed, no vote 0008. [Anne] list mandatory vs. non-mandatory functions Oversight in the spec. Names are not correct. Were going to go for type and action function. Where do you specify them and their calculations. Postponed, no vote 0009. [Daniel] Function naming convention Daniel proposed underscore, text currently uses hyphen. Michiharu suggested hyphens are supported in XPath . Java/C++ do not support hyphens. Motion to continue to use dashes. When underscores displayed underlined, like in hyperlink, cannot distinguish from space. Vote not to approve and remain with hyphens 0010. [Anne] allow more than two arguments to "add" Already changed in function document. All other functions remain with two. Vote to approve passed 0011. [ Carlisle ] state *Match is matched against AttributeValue Spell out semantics to clarify Vote to approve passed 0012. [ Carlisle ] < AttributeSelector > in < SubjectMatch > should be [optional] Listed as required Vote to approve passed 0013. [ Carlisle ] < SubjectMatch > in < SubjectAttributeDesignatorWhere > min/max element has minOccurs =0. Now allow both, but previously not. No vote taken Nominal voting planned for 9/5 TC Call. Some members will be at another committee meeting and still issues to resolve on functions. Still some consistency issues as well (Polar). Should we set 9/12 as a goal to approve the spec? At JC committee, Karl Best will propose in mid September Oasis board meeting to change rules. Submissions can be any month, not quarterly and approval period will be 2 months. If approved, then we may be able to submit in October or November if ready. Anne suggests beginning of October as more realistic. There are unresolved issues about function semantics and finding specifications for functions or defining them ourselves. ( string , date, uri equals, string match, rfc822name match, string >=, etc) Anne (RFC and X.500) and Michiharu ( XPath ) will post pointers to some of these to the list. 0.8 Document posted to list on 8/27 (Functions/Semantics) has [Needs Specification] specified where needed. Review that and add pointers. Monday is a holiday. No subcommittee call will be held.