OASIS eXtensible Access Control Markup Language (XACML) TC

Minutes from 4 November 2010 TC Meeting - updated attendance

  • 1.  Minutes from 4 November 2010 TC Meeting - updated attendance

    Posted 11-05-2010 16:40
    Time: 13:00 EDT
    Tel: 513-241-0892 Access Code: 65998
    
    Minutes from 4 November 2010 XACML TC Meeting:
    
    13:00 - 13:05 Roll Call & Approve Minutes:
    
    Attendees
    
    Voting Members
    Paul Tyson 		Bell Helicopter Textron Inc.
    Bill Parducci 		Individual
    Naomaru Itoi 		NextLabs, Inc.
    Rich Levinson 		Oracle Corporation
    Hal Lockhart 		Oracle Corporation
    John Tolbert 		The Boeing Company
    Mike Davis 		Veterans Health Administration
    David Staggs 		Veterans Health Administration
    
    Members
    Franz-Stefan Preiss 	IBM
    
    Guest
    Greg Nevens 		IBM
    
        Did not achieve quorum at the start of the meeting. Some additional
        members joined later.
    
    Approve Minutes:
    21 October 2010 TC Meeting
      http://lists.oasis-open.org/archives/xacml/201010/msg00011.html
    
        Deferred to next meeting
    
    Administrivia
    New Oasis TC Proceedings and Definitions (15 Oct 2010)
    (same as last meeting: left in place for visibility, reference)
      http://www.oasis-open.org/committees/process-2010-07-28.php
    
    XACML v3 Status (unchanged)
      1 attestation received to date
    
    Issues (carried over from last meeting)
    HL7 examples
      There has been a request for clarification with HL7 documents and
      examples:
      http://lists.oasis-open.org/archives/xacml/201010/msg00004.html
    
      -> [Action] David to propose a specific change and we will discuss
                  if it can be handled as errata.
    
    PIP directive proposal: "Telling the PIP where to pull from"
      David Chadwick has raised the concept of additional processing
      associated with PDP <-> PIP interaction:
       http://lists.oasis-open.org/archives/xacml/201010/msg00005.html
      additional discussion:
       paul:  http://lists.oasis-open.org/archives/xacml/201010/msg00006.html
       david: http://lists.oasis-open.org/archives/xacml/201010/msg00007.html
       david: http://lists.oasis-open.org/archives/xacml/201010/msg00009.html
       rich:  http://lists.oasis-open.org/archives/xacml/201010/msg00013.html
       david: http://lists.oasis-open.org/archives/xacml/201010/msg00015.html
    
        Discussion put off until next meeting because David sent regrets
        that he could not be present today.
    
    Guest Presentation (continued)
    This presentation will have discussion continued from last meeting.
    
    The pres slides have been uploaded to XACML TC Repository here:
      http://www.oasis-open.org/committees/document.php?document_id=39960
    
    Primelife Project (same background para as last mtg)
      Greg Neven of IBM Research, Zurich will be presenting on overview of
      the Primelife Project with proposals of how XACML and SAML may be
      able to address various requirements associated with this work. A
      presentation from the W3C-sponsored Workshop on Access Control that
      Greg gave may be found here for background reference, a paper entitled:
    
      "Credential-Based Access Control Extensions to XACML"
       http://www.w3.org/2009/policy-ws/papers/Neven.pdf
    
    Discussion points from last meeting copied from minutes to here for
      reference: today's discussion notes are below:
    
    ********* last meeting:
    "Discussion: Paul noted that there have been some ontological
      discussions on Attributes that may be applicable to this solution.
      Mike Davis voiced interest in exploring this direction as well.
    
      H17 noted that they developing simple hierarchical ontologies using
      OWL to the healthcare space.
    
      Tony raised a question on how anonymized Predicates may be assigned
      to a Subject without compromising anonymity.
    
      David Chadwick offered that a solution he is working with relies upon
      a localized PIP to address credential validation. Greg noted that
      this is for Attribute values only and not Predicates.
    
      Paul suggested that the proposed insertion of Conditions into a SAML
      assertion is a concern because they are not the these are not the same
      logical data types."
    
    *********
      follow-up emails since last meeting:
      "Attribute Assertions in XACML request"
       paul:  http://lists.oasis-open.org/archives/xacml/201010/msg00012.html
       greg:  http://lists.oasis-open.org/archives/xacml/201011/msg00001.html
    
    today's mtg:
    Hal's notes on Primelife discussion:
      Greg: responded to Hal's question posted by email.
        Condition expression would be used to request assertion asserting
        value of condition. Also used in Assertion to indicate what is
        being asserted.
        Might or might not be used in policy depending on which proposal
        is chosen.
    
      Paul: commented on the ability to ontologies and reasoning engines
        to implement these capabilities.
    
      Greg: clarified some of the issue raised by Hal and others by
        reference to slides 11 & 14 in the presentation.
    
      Rich: outlined an approach to the policy portion of the problem
        using a scheme which was a variation of the simple solution
        presented by Greg and building on the OpenAZ work.
    
      Hal: asked how the SAML "assertion of a condition" scheme would work
        with anonymous credentials. Greg said that a credential could be
        constructed from which various partial information could be
        extracted, in effect using different signature values. The client
        would hold a credential constructed by the IDP originally.
        The client would be able to construct values to assert different
        expressions from it. It would not be able to do all possible
        XACML conditions, but many useful ones.
    
      It was agreed to continue discussions on the list.
    
    Rich's notes on PrimeLife discussion at today's meeting:
        Hal: could have PIP evaluate condition: and return boolean
    	as attribute value.
        greg: slide 14: 2 possible conditions?
    	how to evaluate w external conditions?
          slide 12:
    	certified condition?
        hal: property of resource vs property
    	"certified condition" a saml assertion certifies a condition
    	 to be true (or false);
    	condition specified in policy; has missing condition
    	what is condition going to be asked for;
    	if can teach idp that attr "A" ...
        franz-stephan: what about classes?
        paul: can establish classes of any complexity, etc.
    	 defining class of people - can do that - bus rules
    	  are represented that way.
        rich: raised issues about where "policy" is actually
    	 defined - i.e. in xacml or outside ontological objs?
    	 concern is policy concepts leaking outside of xacml
        hal: need more info on crypto aspect of saml
        greg: condition over attrs: signature algorithm over the
    	 values of attributes provided.
        hal: wants to know the relation between policy and the
    	 evaluation of attrs:
        greg: user has credential, which is a condition over those
    	 attrs; certifying of condition will be done by customer.
        hal: will try to pull apart separable issues, plan to
    	 present to saml week after next: 16th.
    
        note: hal suggested slide 7 is really the set of
    	use cases to look at to get the concept of the
    	expression thing being asked for.
    
      next call nov 18
      meeting adjourned 2PM ET