MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Minutes of 10 November 2005 TC Meeting
Minutes of OASIS XACML TC Meeting
10am EDT, 11 November 2005
Agenda:
1. Roll Call and Agenda Review
ATTENDEES:
Anne Anderson
David Staggs
Hal Lockhart
Seth Proctor
Argyn Kuketayev
Tim Moses
Bill Parducci
Michiharu Kudo
Erik Rissanen
Ron Williams
Abbie Barbir (prospective member)
Quorum was achieved.
-. Change of schedule
UNANIMOUS APPROVAL: skip meeting on 24 November 2005 due to
U.S. holiday. Next meeting will be 8 December.
-. Announcements
ASTM Health Care Informatics WG: Hal Lockhart and David Staggs
attended ASTM Health Care Informatics Working Group meeting
earlier this week; XACML is a key component of the
architecture, which is based on RBAC. David Staggs will send
links to relevant ASTM documents.
ITU-T: Abbie Barbir reported on status: XACML v2 (core and
SAML) submitted to ITU-T. Process now between OASIS and
ITU-T, but TC will be kept informed. Nickname is X.WebSec-2.
Earliest approval as ITU "Recommendation" would be in April
2006. Abbie and Hal will have to reformat the documents to
conform to ITU conventions; normative text will not change.
Potential XPath support issue with the ITU-T approval: will
need to change to a standard recognized by ITU.
[ACTION ITEM: Michiharu] look at impact of this to XACML's
usage. XPath and XQuery are not in final call.
-. Vote on approval of minutes from October 27
http://lists.oasis-open.org/archives/xacml/200510/msg00022.html
UNANIMOUS APPROVAL.
-. Delegation
Right to revoke
http://lists.oasis-open.org/archives/xacml/200510/msg00025.html
http://wiki.oasis-open.org/xacml/RightToRevoke
Now have control over who may issue a policy, but not over who
may revoke a policy. Affects use of "historic attributes"
(i.e. attribute values at time policy was created rather than
at time request is received). Erik has proposed a couple of
models: one is "if you could have issued this policy, you can
revoke it". Issues: format for revocation; processing model
for verifying that revocation is valid. Hal brought up issues
of timing, ignorance (not aware of a valid revocation).
Another model says issuer can revoke issuer's own policies;
Erik says this does not work well with historic attributes.
F2F proposed use of either historic attributes or current
attributes, but not mixed. WIKI page above has discussion.
Request to revoke would reference policy id as the resource,
but does not reference the policy's situation. Means need
unique ids for policies; Erik resolved by combining issuer
with id.
Reduction of Deny
http://lists.oasis-open.org/archives/xacml/200510/msg00026.html
There is an old WIKI plus this new message. Issue: now when
access policy says "Deny", it is reduced the same way as
"Permit". Admin policies must be "Permit"; too complex to
support "Deny" at this level and no good use case. Probably
need to make "Effect" part of the situation (general
agreement). If someone else has "Permitted", can your "Deny"
override that? Or if you have "Denied", can someone else
override it with a "Permit"?
Ron Williams proposed policy evaluation model might need to
specify whether it supports mixed model or not; PDP
"meta-policy". Erik says could probably be implemented by
using permit-overrides combining algorithm; more complicated
if want to allow "Deny" in some cases, but possibly
supportable with combining algorithm parameters.
APPROVED: include "Effect" in situation in next draft.
[ACTION ITEM: Ron Williams] post a couple of simple use cases.
Authz discussion (Erik, Frank)
http://lists.oasis-open.org/archives/xacml/200511/msg00001.html
Summary: how to pass extra attributes and policies (for
potential future delegates) to PDP. These are provided in
initial request, but will be used during later phases of the
reduction. Frank proposes RequestContext include new section
for "Entities" (actual name TBD). Matching on delegate
attributes should include both Delegate section and any Entity
section that includes that delegate's identity. Other option
is to have such attributes passed separately from the Request,
but serves as a pool for populating Delegate sections later.
Neater to reference just Delegate section rather than having
PDP check two locations.
-. Issues
Delegation
http://lists.oasis-open.org/archives/xacml/200510/msg00026.html
[previously discussed: reduction of deny]
Issue #3
http://lists.oasis-open.org/archives/xacml/200510/msg00023.html
Daniel's open context syntax proposal. No submission yet.
-. General
XACML referenced paper
http://lists.oasis-open.org/archives/xacml/200511/msg00005.html
The meeting adjourned at 10:58.
Anne Anderson
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]