OASIS eXtensible Access Control Markup Language (XACML) TC

Minutes for 26 May TC Meeting

  • 1.  Minutes for 26 May TC Meeting

    Posted 05-26-2011 18:01
    I. Roll Call Voting Members Hal Lockhart (Chair) Bill Parducci (Co-Chair, minutes) Paul Tyson Doron Grinstein Remon Sinnema Anthony Nadalin Rich Levinson Hal Lockhart John Tolbert Member David Chadwick Quorum NOT met: (47% per Kavi) I. Roll Call & Approve Minutes: Minutes NO vote on minutes for 19 May 2011 TC Meeting II. Administrivia Hal noted that he will request at that next call we move back to biweekly calls. XACML 3.0 core wd 20 uploaded The TC is encouraged to review. F2F Hal will create a poll to gather the final attendance count for the F2F. III. Issues Discussed PDP REST Interface (PAP) Hal noted that the current thinking on the list attribute information would be in JSON and transported using a POST over HTTP with the response. He offered that he personally would like to see this done in such a way that doesn't cap the functionality. David Chadwick concurs with this and noted that his current prototype doesn't cover Multiple Resources, but that this isn't part of the Core spec. Paul pointed out that the W3C is working to develop standardized mechanisms for expressing RDF graphs and that XACML fits within the scope of this work. Therefore the TC should consider building upon that work. Alternatively, he offered that a "bridge" between XACML and the W3C work may be developed. Hal countered that direct association with the concept of "Semantic Web" work may defeat the underlying driver for this project (enhanced approachability of XACML). Paul noted that he is not against any efforts to make XACML more approachable in HTTP based environments. XACML Implementers Guide Rich reviewed his position on the ramifications of how the current direction on extended Indeterminate response and what it may mean to new adopters. This lead to the revival of the Adopters Guide. Rich asked that the TC consider adding/updating content to the guide as for changes to the spec/Profiles that have been added since the guide IV. New Issue Permit Deny Bias PDPs & Extended Indeterminate Rich introduced and issue that was derived from comments by Indeterminate (D P) results need to be percolated up to the response when generated by PDP bias. Paul asked for clarification where Ind(D P) would be applicable in a real world example. He noted that and Ind(D) could not be converted into a Permit. Rich offered that additional Attributes could result in a N/A. Paul replied that this still doesn't result in a practical Use Case. Rich suggested that the TC dig into Chapter 2 of the Implementor's Guide to begin the clarification process. Obligations/Advice combining ambiguities. Rich asked for input on the current understanding on how Obligations /Advices are combined in a deterministic manner. Hal reviewed the historical context of the desire for unordered evaluation. Rich will post a proposed solution to the list that is based upon the concept of a "default" behavior, that is followed by a list of an enumerated list of Obligations/Advices that are attempted. V. Carryover Issues Indeterminate Policy Target handling http://lists.oasis-open.org/archives/xacml/201105/msg00090.html PDP REST Interface - proposal http://lists.oasis-open.org/archives/xacml/201105/msg00056.html http://lists.oasis-open.org/archives/xacml/201105/msg00086.html ("Towards the creation of XACML PEPs") Attribute predicate profile for SAML and XACML http://lists.oasis-open.org/archives/xacml/201105/msg00088.html XACML Metadata http://lists.oasis-open.org/archives/xacml/201105/msg00004.html Attribute predicate Profile for SAML and XACML http://lists.oasis-open.org/archives/xacml/201104/msg00080.html Break The Glass Profile http://lists.oasis-open.org/archives/xacml/201104/msg00082.html Profile Examples (Hierarchy) http://lists.oasis-open.org/archives/xacml/200910/msg00024.html PIP directive (additional information directives) http://lists.oasis-open.org/archives/xacml/201010/msg00005.html Usage of status:missing-attribute in case of an AttributeSelector http://lists.oasis-open.org/archives/xacml/201104/msg00003.html "Web Friendly" Policy Ids http://lists.oasis-open.org/archives/xacml/201103/msg00046.html Specifying a specific associated Resource in a Policy (Sticky Policies) http://lists.oasis-open.org/archives/xacml/201103/msg00012.html meeting adjourned. Next meeting June 2, 2010.