The Focus Group this morning identified potential XACML 2.0 work
items. I took the liberty of adding a few more that I remembered
while writing up these minutes.
We can change the status of various items (i.e. DROP or
POSTPONE), and can add new ones, but we will not re-use any item
numbers. If an item splits or becomes something different, we
will create new items rather than change existing item numbers.
1. Grid Requirements
Any XACML changes needed to satisfy Grid requirements
STATUS: Abstract Work Item. As specific changes are
identified, they will become individual work items with
their own numbers, listed here.
Current specific work items: #2, 3, 4.
2. Location Information
Way to pass location information needed to evaluate a policy.
Examples of such information are:
o where to find various Attributes,
o where Attribute Authorities to be used are located
o where to find function, combining algorithm, data-type,
Attribute parsing code
Such information might be embedded in either of
a. an XACML Request
b. an XACML policy
STATUS: potential work item.
3. Multiple Actions per Request
Support Requests containing multiple Actions. Response could
either say "All permitted/denied" or could include a separate
decision for each.
STATUS: potential work item.
4. Multiple Resources per Request
Support Requests containing multiple Resources. Response
could either say "All permitted/denied" or could include a
separate decision for each.
STATUS: potential work item.
5. Privacy Requirements
Any XACML changes needed to satisfy Privacy requirements.
STATUS: Abstract Work Item. As specific changes are
identified, they will become individual work items with
their own numbers, listed here.
6. Domain-specific identifiers
Define a set of domain-specific identifiers based on
application usage of XACML.
STATUS: Postponed from 1.1.
7. ConditionReference
Allow a Rule to contain a ConditionReference element as an
alternative to a Condition element. The ConditionReference
would identify a Condition element specified elsewhere. An
optional ConditionId attribute would be added to the Condition
element to support this.
STATUS: Postponed from 1.1.
PROPOSAL:
http://lists.oasis-open.org/archives/xacml/200304/msg00039.html
8. RuleReference
STATUS: Postponed from 1.1.
PROPOSAL:
http://lists.oasis-open.org/archives/xacml/200305/msg00004.html
9. Hierarchical entities
How to express policies and requests that apply to a hierarchy
of subjects, resources, or actions.
STATUS: Postponed from 1.1.
PROPOSALS:
http://lists.oasis-open.org/archives/xacml/200304/msg00057.html
http://lists.oasis-open.org/archives/xacml/200305/msg00009.html
10. Parameters for Combining Algorithms
Support an element or attribute in a PolicySet, Policy, or Rule
that provides parameters to be used by a Combining Algorithm
that is combining the PolicySet, Policy, or Rule.
STATUS: Postponed from 1.1.
PROPOSAL:
http://lists.oasis-open.org/archives/xacml/200305/msg00014.html
11. XACML Extension Points
Define schema extension points for XACML. This work item
might solve the requirements driving several other work
items.
STATUS: potential work item.
12. Environment Element in Target
Allow the Target Element to include an Environment element,
just as it now includes Subject, Resource, and Action
elements.
STATUS: Postponed from 1.1.
PROPOSAL:
http://lists.oasis-open.org/archives/xacml/200305/msg00012.html
13. Optional Target Elements
Make Subjects, Resources, Actions elements optional in a
Target. Missing element has same semantics as <Any.../>
Make Target itself optional. Missing element has same
semantics as a Target containing <AnySubject/>,
<AnyResource/>, <AnyAction/>.
STATUS: potential work item.
14. Signature envelope requirements
Any new XACML work items to meet requirements for signature
envelopes around an XACML schema instance, such as including
an XACML Policy or Request in a signed SAML Assertion.
STATUS: Abstract Work Item. As specific changes are
identified, they will become individual work items with
their own numbers, listed here.
15. Encrypted XACML schema instance requirements
Any new XACML work items to meet requirements for encrypted
XACML Policy or Context schema instances.
STATUS: Abstract Work Item. As specific changes are
identified, they will become individual work items with
their own numbers, listed here.
16. XACML Policy in SAML Response Conditions
Profile uses of XACML Policy instances as a syntax for
specifying Conditions in a SAML Response.
17. XACML Policy in SAML Request Conditions
Profile use of SAML Conditions element as a way for a PEP to
pass an XACML Policy to be used by the PDP in evaluating the
Request.
STATUS: potential work item.
18. Obligations in Rules
Allow Rule to contain Obligations.
STATUS: postponed from 1.1
PROPOSAL:
http://lists.oasis-open.org/archives/xacml/200305/msg00011.html
19. Rule as lowest administrative unit
Allow a Rule to be the lowest administrative unit for XACML.
Probably required to support RuleReference.
STATUS: potential work item.
20. Non-normative XACML interpretation guide
Rationale, examples, possible implementation models; general
information that would help XACML users know the intent of the
XACML TC for the use of XACML elements.
STATUS: potential work item. Probably parallel to XACML 2.0.
21. Non-normative XACML Primer
Primer for XACML usage.
STATUS: potential work item. Probably parallel to XACML 2.0.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
***************************************
SunNetwork 2003 Conference and Pavilion
"An unparalleled event in network computing! Make the net work for you!"
WHEN: September 16-18, 2003
WHERE: Moscone Center, San Francisco
For more information or to register for the conference, please visit:
http://www.sun.com/sunnetwork