MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Minutes of 27 April 2006 XACML TC Meeting
Minutes of XACML TC Meeting
27 April 2006
Attendees:
Daniel Engovatov
Hal Lockhart (chair)
Michiharu Kudo
Ron Williams
Argyn Kuketayev
Abbie Barbir
Kamalendu Biswas
Erik Rissanen
Anne Anderson (minutes)
Time: 10:00 AM EDT
Tel: 512-225-3050 Access Code: 65998
1. Roll Call and Agenda Review
Quorum was achieved.
2. Vote on approval of updated minutes from April 13
http://lists.oasis-open.org/archives/xacml/200604/msg00018.html
APPROVED UNANIMOUSLY.
3. SAML Profile update status
http://lists.oasis-open.org/archives/xacml/200604/msg00002.html
Received comments from Scott Cantor. Waiting for comments
from Eve Maler.
4. Select date for reviewing Daniel's categories proposal
http://lists.oasis-open.org/archives/xacml/200603/msg00002.html
Will review at 11 May 2006 meeting.
5. Hosting a policy repository
http://lists.oasis-open.org/archives/xacml/200604/msg00014.html
Comment that many companies will not want to contribute their
policies; Hal commented a simple global replace would
probably "clean up" any sensitive issues. Create new
category on TC Home Page for "sample policies".
APPROVED UNANIMOUSLY.
ACTION: Anne to propose format for simple storage
maintenance.
6. Draft XACML 2.0 Errata Document
http://lists.oasis-open.org/archives/xacml/200604/msg00006.html
Current version is a Working Draft. At 11 May 2006 meeting,
review and possibly approve as CD, which requires majority of
voting members.
7. OASIS Symposium
2 weeks from today is the OASIS Symposium; Hal will be there,
but will call in for the meeting. Hal will do the "Lightning
round", reporting brief status for XACML.
8. Permit-override Policy Combining Algorithm
Anne posted question about the "Permit-override" Policy
Combining Algorithm, which returns "Deny" in the case where
all policies return either Deny or Indeterminate. Anne
suggested that it should return "Indeterminate", because one
of the Indeterminate policies might have returned Permit had
the error not occurred.
To be discussed further. [Note: we probably don't want to
change the existing algorithm, since it has been implemented
and used with the specified semantics associated with the
existing algorithm identifier. Issue is whether we want to
define a new Policy Combining Algorithm identifier with the
different semantics. -Anne]
9. Issue Review
http://wiki.oasis-open.org/xacml/IssuesList
#26: Reduction of Deny
STATUS: change to "PENDING REVIEW"
#27: Issuer of the PDP policy set
Should the PDP's "trusted issuer" (i.e. issuer of the
PDP's top-level PolicySet) be included in the Response
Context, especially for case of PDP references. The
"Issuer" field of the PDP's top-level PolicySet is never
used in the described reduction algorithms. "Trusted
issuer" is in some ways a logical alias for the master
policy creator.
STATUS: OPEN. Further discussion on use cases.
#31: Passing arbitrary sets of Attributes in the request
(for use with subsequent potential delegates). Erik
thinks it would just make the request and its evaluation
more complex; would need a way to refer to these
"potential attributes". Are the Attributes "invisible"
until the associated delegate appears in the reduction?
Erik proposes passing such Attributes would be outside
the core specification. Implementation-specific Context
Handler is responsible for making these available when
appropriate. Erik thinks these should be added to the
SAML Profile. Alternative would be putting them in the
XACML Request. Profile would provide way to pass
Attributes in XACML Attribute format, so they don't have
to be converted back to SAML Attributes. Profile will
also need an ID element structure so Context Handler can
tell which identity various Attributes are associated
with.
STATUS: Agreement in principle.
ACTION: Erik will produce text for the proposal.
#32: Exception handling
STATUS: DEFERRED. Until reduction process firmed up.
#33: How to match any delegate
STATUS: DEFERRED. Until Daniel's categories proposal has
been approved.
#34: Circular import
STATUS: DEFERRED. Until Daniel's categories proposal has
been approved.
#35: Attribute timing
Current draft says a PDP can be
configured to evaluate at time of issuance or at time of
evaluation.
STATUS: PENDING REVIEW.
#36: PDP advertisement of its metapolicy
Top-level combining algorithm; choice for attribute
timing.
STATUS: OPEN
10. General Business
Next meeting will be 11 May 2006. Put discussion of a date
for the next F2F on the agenda.
11. Adjourned at 11:03am EDT.
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]