OASIS eXtensible Access Control Markup Language (XACML) TC

Minutes of 27 April 2006 XACML TC Meeting

  • 1.  Minutes of 27 April 2006 XACML TC Meeting

    Posted 04-27-2006 15:11
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Minutes of 27 April 2006 XACML TC Meeting


    Minutes of XACML TC Meeting
    27 April 2006
    
    Attendees:
       Daniel Engovatov
       Hal Lockhart (chair)
       Michiharu Kudo
       Ron Williams
       Argyn Kuketayev
       Abbie Barbir
       Kamalendu Biswas
       Erik Rissanen
       Anne Anderson (minutes)
    
    Time: 10:00 AM EDT
    Tel: 512-225-3050 Access Code: 65998
    
    1. Roll Call and Agenda Review
    
        Quorum was achieved.
    
    2. Vote on approval of updated minutes from April 13
         http://lists.oasis-open.org/archives/xacml/200604/msg00018.html
    
         APPROVED UNANIMOUSLY.
    
    3. SAML Profile update status
         http://lists.oasis-open.org/archives/xacml/200604/msg00002.html
    
         Received comments from Scott Cantor.  Waiting for comments
         from Eve Maler.
    
    4. Select date for reviewing Daniel's categories proposal
         http://lists.oasis-open.org/archives/xacml/200603/msg00002.html
    
         Will review at 11 May 2006 meeting.
    
    5. Hosting a policy repository
         http://lists.oasis-open.org/archives/xacml/200604/msg00014.html
    
         Comment that many companies will not want to contribute their
         policies; Hal commented a simple global replace would
         probably "clean up" any sensitive issues.  Create new
         category on TC Home Page for "sample policies".
    
         APPROVED UNANIMOUSLY.
    
         ACTION: Anne to propose format for simple storage
         maintenance.
    
    6. Draft XACML 2.0 Errata Document
         http://lists.oasis-open.org/archives/xacml/200604/msg00006.html
    
         Current version is a Working Draft.  At 11 May 2006 meeting,
         review and possibly approve as CD, which requires majority of
         voting members.
    
    7. OASIS Symposium
         2 weeks from today is the OASIS Symposium; Hal will be there,
         but will call in for the meeting.  Hal will do the "Lightning
         round", reporting brief status for XACML.
    
    8. Permit-override Policy Combining Algorithm
    
         Anne posted question about the "Permit-override" Policy
         Combining Algorithm, which returns "Deny" in the case where
         all policies return either Deny or Indeterminate.  Anne
         suggested that it should return "Indeterminate", because one
         of the Indeterminate policies might have returned Permit had
         the error not occurred.
    
         To be discussed further. [Note: we probably don't want to
         change the existing algorithm, since it has been implemented
         and used with the specified semantics associated with the
         existing algorithm identifier.  Issue is whether we want to
         define a new Policy Combining Algorithm identifier with the
         different semantics. -Anne]
    
    9. Issue Review
         http://wiki.oasis-open.org/xacml/IssuesList
    
         #26: Reduction of Deny
    
              STATUS: change to "PENDING REVIEW"
    
         #27: Issuer of the PDP policy set
              Should the PDP's "trusted issuer" (i.e. issuer of the
              PDP's top-level PolicySet) be included in the Response
              Context, especially for case of PDP references.  The
              "Issuer" field of the PDP's top-level PolicySet is never
              used in the described reduction algorithms.  "Trusted
              issuer" is in some ways a logical alias for the master
              policy creator.
    
              STATUS: OPEN.  Further discussion on use cases.
    
         #31: Passing arbitrary sets of Attributes in the request
              (for use with subsequent potential delegates).  Erik
              thinks it would just make the request and its evaluation
              more complex; would need a way to refer to these
              "potential attributes".  Are the Attributes "invisible"
              until the associated delegate appears in the reduction?
              Erik proposes passing such Attributes would be outside
              the core specification.  Implementation-specific Context
              Handler is responsible for making these available when
              appropriate.  Erik thinks these should be added to the
              SAML Profile.  Alternative would be putting them in the
              XACML Request.  Profile would provide way to pass
              Attributes in XACML Attribute format, so they don't have
              to be converted back to SAML Attributes.  Profile will
              also need an ID element structure so Context Handler can
              tell which identity various Attributes are associated
              with.
    
              STATUS: Agreement in principle.
    
              ACTION: Erik will produce text for the proposal.
    
         #32: Exception handling
    
              STATUS: DEFERRED.  Until reduction process firmed up.
    
         #33: How to match any delegate
    
              STATUS: DEFERRED.  Until Daniel's categories proposal has
              been approved.
    
         #34: Circular import
    
              STATUS: DEFERRED.  Until Daniel's categories proposal has
              been approved.
    
         #35: Attribute timing
              Current draft says a PDP can be
              configured to evaluate at time of issuance or at time of
              evaluation.
    
              STATUS: PENDING REVIEW.
    
         #36: PDP advertisement of its metapolicy
              Top-level combining algorithm; choice for attribute
              timing.
    
              STATUS: OPEN
    
    10. General Business
    
         Next meeting will be 11 May 2006.  Put discussion of a date
         for the next F2F on the agenda.
    
    11. Adjourned at 11:03am EDT.
    
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]