Time: 13:00 EDT
Tel: 513-241-0892 Access Code: 65998
Minutes from 4 November 2010 XACML TC Meeting:
13:00 - 13:05 Roll Call & Approve Minutes:
Attendees
Voting Members
Paul Tyson Bell Helicopter Textron Inc.
Bill Parducci Individual
Naomaru Itoi NextLabs, Inc.
Rich Levinson Oracle Corporation
Hal Lockhart Oracle Corporation
John Tolbert The Boeing Company
Mike Davis Veterans Health Administration
David Staggs Veterans Health Administration
Members
Franz-Stefan Preiss IBM
Guest
Greg Nevens IBM
Did not achieve quorum at the start of the meeting. Some additional
members joined later.
Approve Minutes:
21 October 2010 TC Meeting
http://lists.oasis-open.org/archives/xacml/201010/msg00011.html
Deferred to next meeting
Administrivia
New Oasis TC Proceedings and Definitions (15 Oct 2010)
(same as last meeting: left in place for visibility, reference)
http://www.oasis-open.org/committees/process-2010-07-28.php
XACML v3 Status (unchanged)
1 attestation received to date
Issues (carried over from last meeting)
HL7 examples
There has been a request for clarification with HL7 documents and
examples:
http://lists.oasis-open.org/archives/xacml/201010/msg00004.html
-> [Action] David to propose a specific change and we will discuss
if it can be handled as errata.
PIP directive proposal: "Telling the PIP where to pull from"
David Chadwick has raised the concept of additional processing
associated with PDP <-> PIP interaction:
http://lists.oasis-open.org/archives/xacml/201010/msg00005.html
additional discussion:
paul: http://lists.oasis-open.org/archives/xacml/201010/msg00006.html
david: http://lists.oasis-open.org/archives/xacml/201010/msg00007.html
david: http://lists.oasis-open.org/archives/xacml/201010/msg00009.html
rich: http://lists.oasis-open.org/archives/xacml/201010/msg00013.html
david: http://lists.oasis-open.org/archives/xacml/201010/msg00015.html
Discussion put off until next meeting because David sent regrets
that he could not be present today.
Guest Presentation (continued)
This presentation will have discussion continued from last meeting.
The pres slides have been uploaded to XACML TC Repository here:
http://www.oasis-open.org/committees/document.php?document_id=39960
Primelife Project (same background para as last mtg)
Greg Neven of IBM Research, Zurich will be presenting on overview of
the Primelife Project with proposals of how XACML and SAML may be
able to address various requirements associated with this work. A
presentation from the W3C-sponsored Workshop on Access Control that
Greg gave may be found here for background reference, a paper entitled:
"Credential-Based Access Control Extensions to XACML"
http://www.w3.org/2009/policy-ws/papers/Neven.pdf
Discussion points from last meeting copied from minutes to here for
reference: today's discussion notes are below:
********* last meeting:
"Discussion: Paul noted that there have been some ontological
discussions on Attributes that may be applicable to this solution.
Mike Davis voiced interest in exploring this direction as well.
H17 noted that they developing simple hierarchical ontologies using
OWL to the healthcare space.
Tony raised a question on how anonymized Predicates may be assigned
to a Subject without compromising anonymity.
David Chadwick offered that a solution he is working with relies upon
a localized PIP to address credential validation. Greg noted that
this is for Attribute values only and not Predicates.
Paul suggested that the proposed insertion of Conditions into a SAML
assertion is a concern because they are not the these are not the same
logical data types."
*********
follow-up emails since last meeting:
"Attribute Assertions in XACML request"
paul: http://lists.oasis-open.org/archives/xacml/201010/msg00012.html
greg: http://lists.oasis-open.org/archives/xacml/201011/msg00001.html
today's mtg:
Hal's notes on Primelife discussion:
Greg: responded to Hal's question posted by email.
Condition expression would be used to request assertion asserting
value of condition. Also used in Assertion to indicate what is
being asserted.
Might or might not be used in policy depending on which proposal
is chosen.
Paul: commented on the ability to ontologies and reasoning engines
to implement these capabilities.
Greg: clarified some of the issue raised by Hal and others by
reference to slides 11 & 14 in the presentation.
Rich: outlined an approach to the policy portion of the problem
using a scheme which was a variation of the simple solution
presented by Greg and building on the OpenAZ work.
Hal: asked how the SAML "assertion of a condition" scheme would work
with anonymous credentials. Greg said that a credential could be
constructed from which various partial information could be
extracted, in effect using different signature values. The client
would hold a credential constructed by the IDP originally.
The client would be able to construct values to assert different
expressions from it. It would not be able to do all possible
XACML conditions, but many useful ones.
It was agreed to continue discussions on the list.
Rich's notes on PrimeLife discussion at today's meeting:
Hal: could have PIP evaluate condition: and return boolean
as attribute value.
greg: slide 14: 2 possible conditions?
how to evaluate w external conditions?
slide 12:
certified condition?
hal: property of resource vs property
"certified condition" a saml assertion certifies a condition
to be true (or false);
condition specified in policy; has missing condition
what is condition going to be asked for;
if can teach idp that attr "A" ...
franz-stephan: what about classes?
paul: can establish classes of any complexity, etc.
defining class of people - can do that - bus rules
are represented that way.
rich: raised issues about where "policy" is actually
defined - i.e. in xacml or outside ontological objs?
concern is policy concepts leaking outside of xacml
hal: need more info on crypto aspect of saml
greg: condition over attrs: signature algorithm over the
values of attributes provided.
hal: wants to know the relation between policy and the
evaluation of attrs:
greg: user has credential, which is a condition over those
attrs; certifying of condition will be done by customer.
hal: will try to pull apart separable issues, plan to
present to saml week after next: 16th.
note: hal suggested slide 7 is really the set of
use cases to look at to get the concept of the
expression thing being asked for.
next call nov 18
meeting adjourned 2PM ET