OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] Notes from XACML F2F 31 July 2002

  • 1.  [xacml] Notes from XACML F2F 31 July 2002

    Posted 07-31-2002 23:47
    Attached are updated Notes.txt from today's F2F. Date, version, etc. have not been updated, but content contains new information from today. Anne Anderson Anne.Anderson@Sun.COM Internet Security Research Group, Sun Labs Sun Microsystems, Inc., Burlington, MA ---  Begin Message  --- From : Anne Anderson <aha@ieee.org> To : Anne.Anderson@sun.com Date : Wed, 31 Jul 2002 19:42:08 -0400 () Title: Notes: XACML Face-to-Face Meeting Date: 30 July 2002 Author: Anne Anderson Present: Polar, Hal, Don, Anne, Bill, Carlisle, Simon, Tim, Daniel, Konstantin (2nd day) AGENDA ====== July 30: 9:00-12:00 Walkthru of latest version of document and schema to identify items to be discussed. 12:00-1:00 Lunch 1:00-5:00 Combine items from morning and items from schema subcommittee list and discuss and resolve each July 31: 9:00-9:30 Conference call 9:30-12:00 Continue discussion of items 12:00-1:00 Lunch 1:15-1:45 Presentation of LDAP Profile and discussion 1:45-3:00 Continue quickly going through issues One possibility is asking someone to develop proposal during breakout session time. 3:00-4:30 Breakout work sessions: A. Work on identifiers section, review schema B. Discuss conformance profiles C. Any others 4:30-5:00 Present results from breakout sessions 5:00 E-mail minutes to the list Aug 1: 9:00-9:30 Conference call 9:30-10:15 Discuss security and privacy section 10:15-11:00 Presentation of Conformance Test Cases and discussion 11:00-12:00 Defining profiles 12:00-1:00 Lunch 1:00-5:00 Review issues list for items to close or defer 5:00 E-mail minutes to the list MINUTES/NOTES ============= Goal: after end of 1 Aug 2002, all that is left to do to document is to type in changes already agreed upon. ACTION ITEMS: ============= [30 July 2002] - [Simon, 1 Aug 2002] Review glossary terms: missing, update. - [Tim, 15 Aug 2002] Finish Background section. Add Target. - [Anne, 29 July 2002] Add simple example to Example section. - [Simon, 1 Aug 2002] update and correct the existing example in Example section. - [Anne, 30 July 2002] Give Simon list of edits sent to Tim on Examples. - [Tim, 15 Aug 2002] Highlight boxes in XACML Context section to show which pieces are specified by XACML, and which are outside XACML scope. - [Tim, 15 Aug 2002] Figure 1: update to show PDP has nothing to do directly with the PIP. Replace "PDP" in the figure with a "context constructor" or something like that. PDP interacts only with the "context constructor". - [Bill, 1 Aug 2002] Check UML-ness of Figure 3 (Tim to give Bill a software copy), and update it. - [Tim, 15 Aug 2002] Figure 3: add switch under "condition" so it can take function or attribute. - [Tim, 15 Aug 2002] Section 4: label two "Target" sections appropriately (one is for Rule, other is for PolicyStatement). Make it clear that, regardless of how target is generated, evaluation of policy is the same. - [Simon, 15 Aug 2002] For each Policy syntax element, specify how PAP deals with it and how PDP deals with it. Information needed to implement the semantics of the element correctly. - [Bill, 1 Aug 2002] Generate XML Spy representation from the schemas. - [Simon, 1 Aug 2002] Make all definitions in schema global. - [Michiharu, 14 Aug 2002] Update SAML Profile XSLT, including how to put Obligations into a SAML 1.0 AuthorizationQueryResponse. - [Hal, 14 Aug 2002] Add IPR section (required by OASIS). Discuss IBM's claimed IP on obligations. - [Anne, 14 Aug 2002] Update XML Digital Signature profile. - [Anne, 14 Aug 2002] Update "XACML extensibility points" to make sure it includes anything needed for J2SE extensions. - [Hal, 14 Aug 2002] Write paragraph on pitfalls of negative rules for the "Security and privacy" section. - [Don, 14 Aug 2002] Write up "threats" for "Security and privacy" section. - [Michiharu, 14 Aug 2002] Generate XSLT to convert a Response into the minimal form used by Conformance Test cases. - [Anne, 14 Aug 2002] Generate list of schema elements, combining algorithms, identifiers, functions, arranged by Section # for Conformance section of document. - [Tim, 14 Aug 2002] Fold Background references into document references section. [31 July 2002] - [Daniel, 1 Aug 2002] Prepare proposal and present to group. - [Daniel, 14 Aug 2002] Provide editor with Appendix specifying semantics, operand datatypes, and result datatype for each function. Constraints: consistent with approved proposal for issue#59. - [Michiharu, 14 Aug 2002] Provide usage examples for XPath. - [Michiharu, 14 Aug 2002] Provide usage examples that explain use of xpath with namespaces. - [Hal, 14 Aug 2002] Word document describing usage of each defined XACML identifier from list produced at F2F. DECISIONS ========= [30 July 2002] - Keep structure of the document the same: Non-normative sections, normative sections. - Generate XML Spy representation of schemas, but publish this on the web site as a separate element. - Use only global element references and global type definitions in the schema. Example: Use <xs:element ref="xacml:PolicySetStatement"/>, rather than <xs:element name="PolicySetStatement" type="PolicySetStatementType"/>. Naming convention: if element is "X", type is "XType". Advantages: o consistency for readers of the schema. o can omit qualified elements and attributes. o makes sure names of elements stay same when type is same. - Put function names and legal type combinations (Section 6) in an appendix. - Put identifiers (Section 8) in an appendix. - Put combining algorithms (Section 9) in an appendix. - Profiles: a way of using XACML within a particular application context. - Move LDAP profile into another section: this is "how to use LDAP to retrieve ID references in XACML", not "how to use XACML to implement LDAP access control" - Conformance Tests: define "conformance" as taking a Request "consistent with" the specified Request.xml document, and taking the specified Policy.xml document, must produce a Response "consistent with" the specified Response.xml document. "Consistent with" means must be capable of being converting algorithmically. - "Successfully using" goal is that all mandatory-to-implement functionality be implemented and testable. But, if don't have 3 fully compliant implementations as we get close to Sept.1, we can redefine "successfully using" as a subset. - Remove "Conformance Test" description of "conformant PAP". - Commitments: Simon (OverXeer). CrossLogix can't commit to be compliant by Sept. 1. Reuters is implementing, but we don't know if they can commit for Sept. 1. Carlisle will contact Reuters to see if they will commit. Michiharu (IBM) will do his best, but can't commit. - Acknowledgements section will include only voting members as of time of approval as an OASIS Committee Specification. Contributors list will include all voting members during the period of specification development. [31 July 2002] - If do not have 3 implementations by Sept. 1, will still vote to make specification a Committee Specification, but wait for next window to submit to OASIS. Meanwhile implementations can continue to progress. OASIS is considering revising rules so that submissions can be made more frequently than every three months. Note: current OASIS rules on handling new issues that come up after submission to OASIS is awkward, and is also under review. - Add section to document for "Future work items". Not commitments, just "topics we are considering". NOTES ON LDAP USAGE FOR RETRIEVING POLICIES AND POLICYSETS [handout of slides available] - Should we assume PDP has at least a "template" PolicySetStatement that specifies its PolicyCombiningAlgorithm? Then the PDP (or PRP) queries policy repository with Request Target information and constructs the PolicySet. Same could apply for constructing a Policy from Rules in a repository. - Basic issue for either is how to translate Request context information into an LDAP query that corresponds to Target information. - PAP has to process each PolicyStatement to create index to PolicyIds from Subject/Attribute, ResourceAttribute, and Action elements in PolicyStatement Target. Attributes are indexed based on being in the Target, not based on potential inclusion in a Context. - AttributeValue must be string? No. ---  End Message  ---