OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Minutes for 24 March 2011 TC Meeting - UPDATED

    Posted 03-25-2011 13:25
    Time: 13:00 EDT Tel: 513-241-0892 Access Code: 65998 Minutes for 24 March 2011 TC Meeting - UPDATED: I. Roll Call & Approve Minutes: Voting Erik Rissanen Abbie Barbir Paul Tyson Doron Grinstein Sridhar Muppidi Gregory Neven Franz-Stefan Preiss Bill Parducci Anthony Nadalin Rich Levinson Hal Lockhart John Tolbert David Staggs Non-voting Kenneth Peeples Duane DeCouteau Remon Sinnema 10 March 2011 TC Meeting Minutes (Updated): http://lists.oasis-open.org/archives/xacml/201103/msg00015.html hal: no objections heard; approved II. Administrivia F2F Planning Update http://lists.oasis-open.org/archives/xacml/201103/msg00006.html hal: f2f action on chairs to look for proposals OASIS XACML Webinar: is there interest to develop? http://lists.oasis-open.org/archives/xacml/201103/msg00034.html bill: talked to Dee: Erik, Doron, Hal volunteer to work on it. Conformance Tests: bitkoo xacml 3.0 tests available for examination: http://lists.oasis-open.org/archives/xacml/201103/msg00008.html hal: good job by bitkoo; encourage people to check it out ITU-T Files of Interest: (any update on reviewing? - see minutes above) http://lists.oasis-open.org/archives/xacml/201103/msg00001.html abbie: actively working on it, actual submission in next few days; apr 11-20 group 17 mtg; next update will be after that. III. Issues New (from Hal): Specifying a specific associated Resource in a Policy (Sticky Policies): hal: http://lists.oasis-open.org/archives/xacml/201103/msg00012.html hal: suggest we collect errata, which would involve dropping some or all of the CS docs back to Working Draft and redo all the votes and public review erik: thinks its bad idea, and instead thinks that we should find a way just to post the errata rich: agrees, and thinks it should be parallel track, which would leave the docs in CS state, allow them to progress to oasis specs, and the errata can be collected independently, until such time as we decide what to do w errata. erik: volunteers to collect errata then decide what to do next hal: reqd to produce errata against oasis std format not specified, just show how published std will be changed. suggests format of chg line #s ... to ... hal: point is to collect chgs and agree with chgs then later decide what, if anything, should be done to specs. New (from xacml-comment): Specification of extended indeterminate in combiningalgorithms is incomplete: erik: http://lists.oasis-open.org/archives/xacml/201103/msg00011.html hal: erik to look at w errata New (from Franz-Stefan): Erratum concerning the 'Expression Substitution Group': franz-stefan: http://lists.oasis-open.org/archives/xacml/201103/msg00036.html hal: erik to look at for errata New (from Greg): Obligations problem: sec 7.16 may confuse "effect","result" greg: http://lists.oasis-open.org/archives/xacml/201103/msg00037.html hal: erik to look at for errata Attribute Assertions in XACML request: greg has posted proposed profile: http://lists.oasis-open.org/archives/xacml/201103/msg00035.html comments on posting: http://lists.oasis-open.org/archives/xacml/201103/msg00040.html original (Paul from november 2010): http://lists.oasis-open.org/archives/xacml/201010/msg00012.html hal: greg to describe proposal greg: doc has generic introduction; instead of letting saml carry values only, can also carry a predicate that could be handled by the pdp sec 3 would be chg to saml profile sec 4 explains how such assertions could be embedded in a xacml pdp comments: from doron: who does work? pep or ch? greg: if ch sees responses passing then ch could do it just as well from franz-stefan: restrictions on how many queries user can be making at given time; fishing: systematic queries to collect underlying constraints hal: was presented to saml on tue; some pushback on applies stuff; possibly profiles saml<->xacml should ref each other and cooperate; xspa has done 3 profiles in 3 tcs; greg: own group has raised some issues in red balloons on some of the pages; paul: has same concerns raised earlier; whole business of translating between boolean vs real comparison on an attr; doron: didn't analyze in detail; similar to what they do in long run; when you have attr responder: what values are transmitted to responder; hal: process of obtaining from a provider a predicate; greg: query will contain predicate to be certified; doron: has done before in 2003: tell pip go get attr from various sources; throw attr of user over fence to provider that returns the boolean; inputs are any num of attrs, from req; pep calls svc w some attr; pdp then tells ch - go get more attrs, then send attrs to predicate responder and return a boolean rsp that pdp makes decision on. greg: in doron's scenario: predicate is fixed in some kind of service; greg's proposal is for any predicate: is doron's for specific predicate? doron: can give any predicate, but can also add more attrs; user is 123, dept is xyz, is he over 21? pred calcs t/f greg: not aware is it doc'd anywhere doron: filed a patent; can set up a demo; hal: didn't quite follow: doron: define pred; attrs about principal; predicate resolver; hal: part of saml based on this is attr query, no guarantee about what will be returned; make a query w a bunch of attrs and predicates; rich: thinks there is lot of stuff out there: saml profiles, doron's stuff, other products, federation, papers have published various things on collecting attrs, preparing predicates, and producing results; greg: point of profile is do basically that; hal: concern about mention of patent - need to review oasis ipr policies before introducing any patented technology greg: p6, gives example hal: missing attrs, attr finders, david's paper, interesting topic wrt to obtaining attrs independent of notion of "predicates" doron: predicate is just another attr for pep go get; do we want to represent expression in policy; might be able to communicate policy to responder hal: in general can flatten anything out to a scalar; rich: one or more scalars; paul: xacml loosely coupled: common vocabulary that all participants are aware of; introducing local attrs - policy writer can't in terms of well known attrs; that alone introduces complexity hal: xacml doesn't define your attrs, names, etc. need that knowledge paul: in any domain you will have that set of attrs; can do varied analysis and be sure what you are doing; doron's notion extends ch to not just deal w attrs, but throws over wall; doron: example: can ask a weather service if it is raining; don't need to know the internals of the impl paul: pdp evaluates w full knowledge of attrs involved; can eval wrt attrs of unknown origin; hal: black box; ask what humidity is: why do you need to know the impl in the black box. doron: need to support both black and white box; call for credit score - don't know how they do it, just need the score; in other cases need to send attrs to control evaluation of credit score; greg: how does ch know which attr to query? doron: for each attr have info and expression, policy identifier, etc. dynamic data provider; boolean is ultimate response greg: sounds similar to locally meaningful attr-id's rich: have reached end of meeting time 2:00 hal: to be continued; greg is updating proposal? greg: will work w what tc wants to do; hal: ask tc-admin for template, then can post to our archive; rich: was same doc submitted to both xacml,saml? greg: yes david s: incits: producing next gen access ctl, can put some text in for xacml in cs1; need to be member of cs1: us body for iso? hal: next mtg in 2 weeks; progress pts on list as much as possible. BTG Profile (Break The Glass): several recent comments (only listed most recent from each named member): david-c: http://lists.oasis-open.org/archives/xacml/201103/msg00014.html mike: http://lists.oasis-open.org/archives/xacml/201103/msg00021.html erik: http://lists.oasis-open.org/archives/xacml/201103/msg00024.html doron: http://lists.oasis-open.org/archives/xacml/201103/msg00027.html martin: http://lists.oasis-open.org/archives/xacml/201103/msg00028.html bill: http://lists.oasis-open.org/archives/xacml/201103/msg00029.html paul: http://lists.oasis-open.org/archives/xacml/201103/msg00030.html david-s: http://lists.oasis-open.org/archives/xacml/201103/msg00032.html rich: http://lists.oasis-open.org/archives/xacml/201103/msg00033.html original (David C): http://lists.oasis-open.org/archives/xacml/201011/msg00017.html PIP directive (additional information directives) original (David): http://lists.oasis-open.org/archives/xacml/201010/msg00005.html


  • 2.  Re: [xacml] Minutes for 24 March 2011 TC Meeting - UPDATED

    Posted 03-28-2011 09:14
    Rich, I just noticed that there is another error in the minutes. See inline. Regards, Erik On 2011-03-25 14:24, Rich.Levinson wrote: > Time: 13:00 EDT > Tel: 513-241-0892 Access Code: 65998 > > Minutes for 24 March 2011 TC Meeting - UPDATED: > > I. Roll Call & Approve Minutes: > > Voting > Erik Rissanen > Abbie Barbir > Paul Tyson > Doron Grinstein > Sridhar Muppidi > Gregory Neven > Franz-Stefan Preiss > Bill Parducci > Anthony Nadalin > Rich Levinson > Hal Lockhart > John Tolbert > David Staggs > > Non-voting > Kenneth Peeples > Duane DeCouteau > Remon Sinnema > > > 10 March 2011 TC Meeting Minutes (Updated): > http://lists.oasis-open.org/archives/xacml/201103/msg00015.html > > hal: no objections heard; approved > > > II. Administrivia > F2F Planning Update > http://lists.oasis-open.org/archives/xacml/201103/msg00006.html > > hal: f2f action on chairs to look for proposals > > > OASIS XACML Webinar: is there interest to develop? > http://lists.oasis-open.org/archives/xacml/201103/msg00034.html > > bill: talked to Dee: Erik, Doron, Hal volunteer to work on it. > > > Conformance Tests: bitkoo xacml 3.0 tests available for examination: > http://lists.oasis-open.org/archives/xacml/201103/msg00008.html > > hal: good job by bitkoo; encourage people to check it out > > > ITU-T Files of Interest: (any update on reviewing? - see minutes above) > http://lists.oasis-open.org/archives/xacml/201103/msg00001.html > > abbie: actively working on it, actual submission in next few days; > apr 11-20 group 17 mtg; next update will be after that. > > > III. Issues > New (from Hal): Specifying a specific associated Resource in a Policy > (Sticky Policies): > hal: http://lists.oasis-open.org/archives/xacml/201103/msg00012.html > The discussion below does not apply to sticky policies, rather to the errata issue just below. > hal: suggest we collect errata, which would involve dropping some > or all of the CS docs back to Working Draft and redo all the > votes and public review > erik: thinks its bad idea, and instead thinks that we should find a > way just to post the errata > rich: agrees, and thinks it should be parallel track, which would > leave the docs in CS state, allow them to progress to oasis > specs, and the errata can be collected independently, until > such time as we decide what to do w errata. > erik: volunteers to collect errata then decide what to do next > hal: reqd to produce errata against oasis std > format not specified, just show how published std will > be changed. suggests format of chg line #s ... to ... > hal: point is to collect chgs and agree with chgs then later > decide what, if anything, should be done to specs. > > > New (from xacml-comment): Specification of extended indeterminate in > combiningalgorithms is incomplete: > erik: http://lists.oasis-open.org/archives/xacml/201103/msg00011.html > > hal: erik to look at w errata > > > New (from Franz-Stefan): Erratum concerning the 'Expression > Substitution Group': > franz-stefan: > http://lists.oasis-open.org/archives/xacml/201103/msg00036.html > > hal: erik to look at for errata > > New (from Greg): Obligations problem: sec 7.16 may confuse > "effect","result" > greg: http://lists.oasis-open.org/archives/xacml/201103/msg00037.html > > hal: erik to look at for errata > > > Attribute Assertions in XACML request: greg has posted proposed profile: > http://lists.oasis-open.org/archives/xacml/201103/msg00035.html > comments on posting: > http://lists.oasis-open.org/archives/xacml/201103/msg00040.html > original (Paul from november 2010): > http://lists.oasis-open.org/archives/xacml/201010/msg00012.html > > hal: greg to describe proposal > > greg: doc has generic introduction; instead of letting saml carry > values only, can also carry a predicate that could be handled > by the pdp > > sec 3 would be chg to saml profile > > sec 4 explains how such assertions could be embedded in > a xacml pdp > > comments: from doron: who does work? pep or ch? greg: if > ch sees responses passing then ch could do it just as well > from franz-stefan: restrictions on how many queries user > can be making at given time; fishing: systematic queries > to collect underlying constraints > hal: was presented to saml on tue; some pushback on applies > stuff; possibly profiles saml<->xacml should ref each other > and cooperate; xspa has done 3 profiles in 3 tcs; > greg: own group has raised some issues in red balloons on > some of the pages; > paul: has same concerns raised earlier; whole business of > translating between boolean vs real comparison on an attr; > doron: didn't analyze in detail; similar to what they do in > long run; when you have attr responder: what values are > transmitted to responder; > hal: process of obtaining from a provider a predicate; > greg: query will contain predicate to be certified; > doron: has done before in 2003: tell pip go get attr > from various sources; throw attr of user over fence to > provider that returns the boolean; inputs are any num > of attrs, from req; > pep calls svc w some attr; pdp then tells ch - go get more > attrs, then send attrs to predicate responder and return > a boolean rsp that pdp makes decision on. > > greg: in doron's scenario: predicate is fixed in some kind > of service; greg's proposal is for any predicate: is doron's > for specific predicate? > doron: can give any predicate, but can also add more attrs; > user is 123, dept is xyz, is he over 21? pred calcs t/f > greg: not aware is it doc'd anywhere > doron: filed a patent; can set up a demo; > hal: didn't quite follow: > doron: define pred; attrs about principal; > predicate resolver; > hal: part of saml based on this is attr query, no guarantee > about what will be returned; make a query w a bunch of attrs > and predicates; > rich: thinks there is lot of stuff out there: saml profiles, > doron's stuff, other products, federation, papers have published > various things on collecting attrs, preparing predicates, and > producing results; > greg: point of profile is do basically that; > hal: concern about mention of patent - need to review oasis ipr > policies before introducing any patented technology > greg: p6, gives example > hal: missing attrs, attr finders, david's paper, interesting topic > wrt to obtaining attrs independent of notion of "predicates" > doron: predicate is just another attr for pep go get; do we want > to represent expression in policy; might be able to communicate > policy to responder > hal: in general can flatten anything out to a scalar; > rich: one or more scalars; > paul: xacml loosely coupled: common vocabulary that all participants > are aware of; introducing local attrs - policy writer can't > in terms of well known attrs; that alone introduces complexity > hal: xacml doesn't define your attrs, names, etc. need that > knowledge > paul: in any domain you will have that set of attrs; can do > varied analysis and be sure what you are doing; doron's notion > extends ch to not just deal w attrs, but throws over wall; > doron: example: can ask a weather service if it is raining; don't > need to know the internals of the impl > paul: pdp evaluates w full knowledge of attrs involved; can > eval wrt attrs of unknown origin; > hal: black box; ask what humidity is: why do you need to know > the impl in the black box. > doron: need to support both black and white box; call for credit > score - don't know how they do it, just need the score; in other > cases need to send attrs to control evaluation of credit score; > greg: how does ch know which attr to query? > doron: for each attr have info and expression, policy identifier, > etc. dynamic data provider; boolean is ultimate response > greg: sounds similar to locally meaningful attr-id's > > rich: have reached end of meeting time 2:00 > > hal: to be continued; greg is updating proposal? > > greg: will work w what tc wants to do; > > hal: ask tc-admin for template, then can post to our archive; > > rich: was same doc submitted to both xacml,saml? > greg: yes > > david s: incits: producing next gen access ctl, can put some > text in for xacml in cs1; need to be member of cs1: us body > for iso? > > hal: next mtg in 2 weeks; progress pts on list as much as possible. > > > > BTG Profile (Break The Glass): > several recent comments (only listed most recent from each named member): > david-c: http://lists.oasis-open.org/archives/xacml/201103/msg00014.html > mike: http://lists.oasis-open.org/archives/xacml/201103/msg00021.html > erik: http://lists.oasis-open.org/archives/xacml/201103/msg00024.html > doron: http://lists.oasis-open.org/archives/xacml/201103/msg00027.html > martin: http://lists.oasis-open.org/archives/xacml/201103/msg00028.html > bill: http://lists.oasis-open.org/archives/xacml/201103/msg00029.html > paul: http://lists.oasis-open.org/archives/xacml/201103/msg00030.html > david-s: http://lists.oasis-open.org/archives/xacml/201103/msg00032.html > rich: http://lists.oasis-open.org/archives/xacml/201103/msg00033.html > original (David C): > http://lists.oasis-open.org/archives/xacml/201011/msg00017.html > > PIP directive (additional information directives) > original (David): > http://lists.oasis-open.org/archives/xacml/201010/msg00005.html > > > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php