11AM after break: greg: attr predicates: bdate< 1995 rather than exact date 90000< zip< 99999 what is there to for xacml? all xacml to use such assertions borrowed schema of apply element to leverage all that; proposed first wd to saml; diff between profile,protocol advancing similar to normal attr assertions diagram in saml profile of xacml: fig 1 line 280 of xacml/saml diagram is described in text preceding diagram in section 1.1: greg: if pep knows predicate; pdp would submit and pdp would provide answer; 1st mechanism suggested one objection is policy in pep; trusted entity is authority that knows birthdate, but does not reveal it directly; predicates dedicated to specific attributes greg: is looking to have attr preds follow same paths as attrs in fig 1 of saml/xacml; jan: pip will fetch attrs; preds are more generic than basic predicate id; rich: using predicate as represented by attrId then can look for result from designated authority by attr finder; this is subset of the broader problem being discussed. greg: define new data type like attr data type that would have xml content describing - paul suggestion few months ago condition in policy vs certified predicates in req i.e. comparing age<16 in policy vs age<18 in req more complex: (weight/height)**2< 25 (bmi) vs height< 2.00 meters AND height/weight< 0.02 erik: can't take this infinitely far; what is subset of workable predicates that it can be used for; i.e. which is more practical, usable; have an attr predicate repository; all that's left is policy instead of asking for missing attr, ask for missing attr predicate; hal: do you look for attr or for predicate; how do you know which? jan: you sending subrequest to authority: ex. is person in the country, and is person born before 1980? greg: entire pred is still in policy; in policy have date< bday, and then go get bday; jan: that makes sense for pred calling for data used to evaluate the pred in the pdp. hal: similar to AMF files; still issue how much of policy you take; greg: these are essentially what he is looking at; how does pdp decide which attr to query? jan: define req that would give resource then add to decision in obl; hal: also extend missing attrs jan: subjid wants to do something on file server; get back yrof birth for bob, etc. jan: pep discharges obl, then inserts req erik: can't return obl on indeterminate; would return permit; do policies as obligations; why not just return attr result of predicate; david chadwick arrived just before noon; greg: xacml pdp depend on attr authority for preds how to control it? instead of raw data, attr auth can suggest alternatives; greg: attr authority can ask user for consent; david chad: don't know who requestor is so can come in as multiple requests to iterate to info; david choy: query can talk to lot of records becomes a performance; query is bigger issue than access: know the subject, but don't know the resouces. 3rd problem is leackage hal: any process would have MIM exposure; david choy: need query capability system may allow me to look up my own salary; hal: might prune results before; jan: select * from: don't know if user asking for restricted data or not; can filter out instances not ok; don't have subj action resource have subj req msg most rights can be enforced on req; can rewrite req allowed subjecting the response to some filtering hal: is this non-atomic operation? jan: if you rewrite req, can be used as feedback to the user to refine original query to be more useful givent the constraints; greg: go to lowest level apply; mult attrs for same issuers; jan: this is more controlling the pip; uses the pred as a key to tell the pip what info you are looking for; relation to predicate hal: thought we dropped this approach; david chad: protocol that drives; pep hal: pep initially has some preds; if attrs are missing then pdp can make requests; 2nd soln policy says x, pred says y; how do I determine if policy and pred related; david chad: pep is "not there"; (in diagram on screen) break for lunch; discuss possible dinner strategy