xacml message

Subject: FTF#1 7/18/01 Minutes

From: Ken Yagen <kyagen@crosslogix.com>
To: "'xacml@lists.oasis-open.org'" <xacml@lists.oasis-open.org>
Date: Mon, 23 Jul 2001 16:01:29 -0700

Title: FTF#1 7/18/01 Minutes

The minutes are also attached in their original word format which is a little easier to read.

Notes taken by Gil Pilz (minor editing by Ken Yagen; Ken's notes follow at end)
Wednesday, July 18, 2001
9:00 AM
Ken Yagen
- Roll call: 9 Voting Members Present
Ken Yagen, Crosslogix
Fred Moses, Entitlenet
Gilbert Pilz, Jamcracker
Jeff Hodges, Oblix
Simon Blackwell, Psoom
Bill Parducci, Self
Suresh Damodaran, SterlingCommerce
Philip Hallam-Baker, Verisign
Tim Moses, Entrust

Observers
Gary Ellison, Sun Microsystems
Mohnish Harisiganey, Crosslogix
Simon Godik, Crosslogix
Mingde Xu, Crosslogix
Frank Chum, Psoom
Merlin Hughes, Baltimore
Sandilya Garimella, BEA
Pierangela Samarati, U.Milan
Joe Pato, HP

Via Phone
Carlisle Adams, Entrust
David Parrott, Reuters
Michiharu Kudoh, IBM
Simon
-       Thanks to Crosslogix (Note: it's cheaper to sponsor than it is to fly to Texas).
-       Meeting counts towards membership, but not against
-       Agenda overview. No changes
-       Suresh: Can we try to stick to the allotted time slots?
9:10 AM
David Parrott - Report on Reuter's Requirements For DRM.
-       <include Dave's presentation>
-       MPEG-21 standardizing content protection mechanisms.
Suresh: Could you explain the idea of "Obligations"?
Dave: "Conditions" specify the set of circumstances required to allow access. "Obligations" specify the set of circumstances required post access (i.e. You must include my branding info when you display this data.)

Simon: There are two sides to "obligations". Pre-conditions that must be satisfied to obtain access and post-conditions that must be satisfied after access has been granted. Does "Obligations" encompass both of these?

Dave: Yes.
Suresh: Are obligations things you must do in order to obtain access?
Dave: As presented, "Obligations" imply no sense of temporal ordering.
Tim Moses: Can you (Dave) comment on the division of responsibilities between MPEG and OASIS in this area?
Dave: Not sure. Same problem between MPEG and XKMS. None of these efforts has defined it's own boundaries yet. MPEG is moving away from its origins in audio-visual data into an entire realm of multi-media data.

Simon: Can you (Dave) talk about how MPEG works?
Dave: MPEG is part of ISO so their activities are bounded by ISO. Very formal. Meets four times per year. Large number of ad hoc meetings. Very active. Currently there is MPEG-4, MPEG-7, and MPEG-21. Solicit requirements from the members. Cherry pick features from all these requirements.

Simon: OASIS is not a member of MPEG. OASIS may pursue swapping of memberships with MPEG. Other alternative is to piggy-back some member of XACMLs membership with MPEG.

Tim Moses: In order to be a member of MPEG you must be a member of ISO. Swapping memberships with OASIS is impractical for this reason.

Phil Hallam-Baker: Objects to Leonardo's activities within MPEG? Would not want to be a member.
Dave: Leonardo does not control everything because ISO procedures are so formal.
Tim Moses: Suggest XACML submit a proposal to MPEG.
Dave: This makes a great deal of sense.
Tim: One major concern: DRM is broader than XACML.
Dave: Remember the "cherry picking" point. MPEG could pick the best bits of XACML.
Suresh: When would we know what MPEG is planning to work on and see if that aligns with the XACML agenda.
Dave: End of this week.
Simon: Several action items that could come out of this. See about OASIS formerly cooperating with MPEG. Bigger question: Are people interested in seeing what MPEG

Gil: It's premature to say to what extent we should be involved with MPEG until we know what the overlap is between XACML and DRM efforts.

Tim: Nevertheless we should take the DRM requirements under advisement.
Simon: Where are the DRM requirements?
Dave: I will let you know.
Further discussion curtailed in the interests of maintaining schedule. Interested individuals are encouraged to do the reading on their own.

10:04 AM
Fred Moses: Health Care Use Cases
- <include Fred's presentation>
Simon: Point of reference about HIPAA's impact on existing systems. Estimated to be a $25,000,000,000 re-write of existing systems. HIPAA is one of the driving forces behind Psoom's involvement in XACML.

- HL7's current security architecture is weak and inflexible
Tim Moses: The provided example of Ms. AXS does not fit into the current XACML Domain model. The patient does not necessarily have access to or wish to engage with an Administrative Console.

Fred: Agreed.
Key Yagen: What does P3P say about this?
Simon: <long explanation that this secretary didn't catch because he was thinking about Tim's previous comment>. [P3P - specify preferences and site has P3P policy and intersects with site and see if there is a match; Publisher driven and no enforcement]

Fred: One of the problems with the current model is that there is no global unique identifier for people. SSN does not work and shouldn't be used in the first place. When working across providers, etc. how do you correlate the various IDs?

Simon: It becomes an even more difficult problem when you have to worry about exposure of the data. How do you who not to expose it to (i.e. the abusive ex-spouse) unless you can identify that ex-spouse.

General discussion about SSN's as a unique identifier and unique identifiers in general.
Simon: Think of it in terms of XACML. "This is a purported unique identifier". The user has authenticated because they have a SAML Authentication Assertion that says so.

Simon: W/regards to "HIV Test" slide; the fact that the HIV test occurred at all is a piece of information that needs to be protected.

Phil Hallam-Baker: The frequency and type of authorization attempts is information that needs to be captured and monitored.

Simon: W/regards to the "trauma override" slide. The European Privacy guide speaks a lot about intent. Its not simply a matter of what you did, but what you intended to do. If the CDC needs everyone's records, they should get everyone's records.

Fred: If a public agency needs access to medical records, normally they can only get demographic info but there are overrides where they can get the specifics.

Simon: Unless the rules follow the data when the restrictions are overridden there is no way for the entity that obtained the data to comply with the restrictions.

General discussion about whether "overrides" should be handled with the Authorization Model or whether they should be considered to be out-of-band and not covered in the Authorization Model.

???: Ask whether SAML audience restrictions bear upon this problem.
Phil: <answer that I missed>
???: Would refrain from using the term "override" because this implies that the action is now out-of-band and not handled by the model.

Fred: Agrees.
Simon: Point is that it is a different kind of rule.
Gil: These are "higher order" rules that contain exceptions that reference other rules.
Fred: Access is not immutable. It depends upon context.
Simon: (w/respect to the Summary of Requirements slide) Regardless of the identifier problem, we have to be concerned with the problem of preserving access semantics across organizational boundaries.

Bill Parducci: Do we need to worry about nested sub-access schemes where, for instance, the billing personnel have access to one level of information and they, in turn, grant rights to the mailing personnel for an even smaller subset of the information.

Simon: This speaks to the "re-publish rights" problem.
Simon: Do we specify the kinds of rights and types of contexts parameters available or do we leave this open.
Tim: This is addressed by David's (???) proposal. The core standard should not specify rights or context parameters.
Phil: SAML specifies a URI that identifies the context of an "action" space. Within that space there is a set of strings that is defined by the body behind the URI. Many people say that this is not enough.

General SAML discussion; we may need a generalized set of contexts.
10:48 AM Break
11:04 AM
Simon: We forgot to schedule time for a discussion of HL7. We should consider discussing the security model of HL7.
Fred: There is a very active security contingent in HL7.
Simon: Is HL7 pulbic?
Fred: No.
Philip Hallam-Baker - DRM Use Cases
- <Phil is not prepared with a presentation>
Phil: DRM is completely wrong. Instead of trying to protect content they should concentrate on payment.
General discussion on the concept and labeling of "DRM".
11:09 AM
Suresh Damodaran - ebXML Use Cases
- <include "OASIS ebXML Registry" document>
Gil: What is the difference between Role and Group.
Suresh: Roles are attributes of a Principal. Groups are collections of Principals.
General discussion of Roles and Groups.
PHB: There is no real semantic distinction between Roles and Groups.
Pierangela: Groups are sets of users. Roles are sets of privileges. Roles can be activiated dynamically. A user can choose to take on a Role whereas they cannot choose to be or not be a member of a Group.

???: If we use both Roles and Groups, we need to be very clear about the distinctions.
Continued discussion merging into a discussion about the meaning of "Privileges".
Have a "Group vs. Role" discussion that seeks to refine and extend the current glossary.
1.      Must agree with SAML.
2.      Take into realities of the existing state of the art.
3.      Is there a real distinction that we need to make?
Gil: How do you know whether a particular method requires "read" or "write" access/permission?
Suresh: They don't, "read" means the "read method", "write" means the "write method". This presupposes that all objects implement methods called "read" and "write".

Gil: CORBA solves this by providing another level of indirection that relates the rights required to execute a given method.

<General discussion that I missed because I got behind>
Suresh: General discussion of the Registry model in ebXML.
Simon: Are the methods we are discussing methods of the Registry Entry "object" or are they the methods of the objects contained within the Registry?

Tim: Thinks it is the former.
Suresh: Thinks it is the later.
General discussion of this issue.
Tim: If a company created a Registry entry that said that they are willing to accept purchase orders by email do the Access Control Policies apply to that Registry Entry or do they apply to the email protocol itself?

Suresh: This hasn't been resolved.
Simon: If that is the case then ebXML does not have a sensible access control framework.
General discussion about how ebXML works. Does everybody get to read all the Registry Entries?
Simon: Once two parties have "discovered" each other via the Registry, do they come back to the Registry for any reason?

All: No.
Simon. Ok, so the Access Policies can only apply to Registry Objects themselves and not to the services that they refer to.

PHB: The problem with ACLs is that they are attached to atoms. We need to consider the use case of administrating the policies themselves.

We need to generate a use case for administrating the policies.
General discussion about how ebXML handles the business agreements problem.
Need a subsequent meeting to discuss ebXML and its impacts on XACML.
???: RosettaNet uses DUN numbers to identify businesses; ebXML uses UUIDs; how would you map from the DUN to the UUID?
Suresh: Should Access Control Policies themselves have Access Control Policies associated with them?
Simon: In XACML this should be fairly simple to do since the Access Control Policies, themselves, are XML documents.
Suresh: <missed>
Fred: <missed>
Simon: Answer to original question is yes.
Gil: When do we stop recursing on Access Control Policies.
All: We should specify a "root" Access Control Policy that is pre-defined within the implementation of the PDP.
Simon: We should limit the level of recursion to 1 on this.
Simon: Is ebXML a Registry Entry itself?
Suresh: Yes, there is a bootstrapping process.
Suresh: Look for more use cases from the CPC-CPA ebXML efforts.
Phil: Is there a central registry or can organizations create their own private one's?
Suresh: It is private by definition. There is some work ongoing to federate the individual registries.
General discussion about the similarities and differences between ebXML and UDDI. UDDI is global, ebXML is local. The relationship between the two is ambiguous.

12:03 PM
Simon: Agenda bashing.
Jeff Hodges: Wishes to talk about RFC 3060.
Sandilya: How does XACML apply to Web Services?
Phil: Two questions: Will XACML be specified as a Web Service? Can XACML be used to protect Web Services?
Tim Moses: At some point we have to get down to the specifics about the work to be done.
Simon: Hopefully the sub-committees will self-define this work. We should start to define the work items.
Simon: How does our work relate to the other work at OASIS? TREX et. al. We will have to decide about how we wish to represent our schema. DTD's, TREX, XML Schema.

Phil: What's wrong with XML Schema?
Simon: Nothing, but we need to make up our mind.
General discussion about TREX and XML Schema.
Phil: XML Schema is a W3C Recommended Spec. TREX is nowhere near.
Gil: SAML uses XML Schema.
Vote Result: XACML will use XML Schema to represent XACML defined constructs.
General discussion about the reasons behind TREX. Who knows?
Suresh: Would like to discuss RFC 2906.
Jeff Hodges: RFC 3060 is more applicable to XACML than is RFCs 2903-2906.
???: Definition of sub-committees.
Simon:
-       Use Case
-       Intellectual Property
-       Standards and Interoperability
-       Protocols & Bindings
-       Representation (Grammar)
-       Security & Privacy
Suresh: Would like to go over the use cases and see if we can pull out any common themes.
12:20 PM Lunch
<Gil Pilz - Domain Model - not recorded here>
[From Ken's Notes]
PIP - Environment Authority (information about environment that you "could" use for policy) Gil thinks should be outside and define environment assertion

Jeff - Is it an Attribute Authority
PRP - How move around policy (protocol)
Simon G - reuse SAML assertion communication mechanism for Policy Retrieval
Simon G - way to express policy query against XACML (different than PDP Yes/No)
Gil - PRP is a persistence layer on top of the database
Gil - PRP job to extract policy from container
Gil - did SAML decide only yes/no? Jeff thinks yes
Should consider if we define language to query the policy in addition to explain policy
PRP Definition (RFC2904 sec 4.4) - specifically for facilitating distributed policy
2905,2906 examples and use cases
Phased Approach: Define Policy Model and Language, How one Queries the Language, How does PDP operate (SAML defines) Is Authz Dec Assert the only kind it can do?

Jeff - Policy Core Information Model defines a concrete implementation of knowledge in terms of an LDAP Schema. Can store Policy Expression in directory using that schema and use LDAP queries to get that out.

LDAP couldn't solve the policy
Misunderstanding query - get me this pile of information from A to B OR let's take a request and evaluate against the policy

2 glossary entries - Query (retrieval) and Query (evaluate)
What about Policy Manipulation? XML Schema so can use XML tools
On conference call said protocol and bindings group would see what is out there and make suggestions.
SG - would like document to stay whether we intend to do query in future if not now
Model has to be deterministic
JamCracker has 7 major repositories of policy information
Would like to have management system could look at all repositories and get a unified view
Express I want you to evaluate the policy using "X" evaluation strategy
Conceivable could define independent of that and each implementor has their own implementation strategy.
If not deterministic, then no value to the customer (ie Toyota)
Gil idea: Specify language neutral of factors and then outline different modes based on the use cases then it becomes a configuration. Given configuration, it is deterministic

Authorization community uses the term "Metapolicy" which is a policy about policy. (in spec about "Ponder"?)
Metapolicy tells engine how to interpret certain things
Eval engine and policy in scope
Define families of metapolicies by URI
Defining policy expression language and the language is not deterministically evaluatable without meta policy.
Eval Engine black box
SG - no default metapolicy
Creation of a policy expression language based on a formal model that which when evaluated in the context of a specific metapolicy will be deterministic. We will at least define 1 metapolicy that is mandatory to implement.

Vendors can right their own metapolicy (no war)
In TLS/SSL - mandatory to implement cyphersuites
Exposure - saml doesn't cover PIP.
3:20 PM
Tim Moses Entrust Preliminary Proposal
- <include Tim's presentation>
General discussion about the meaning of the "Sensitivity" value. "Sensitivity" (as Tim is defining it) is related to process of introspection on the protected resource.

Key Yagen: How do "entitlement attributes" relate to SAML Attribute Assertions. Entitlement attributes are specific instances of Attribute Assertions.

Simon: (Example resource slide) Can the Actions be expanded upon?
Tim: Yes.
Suresh: Policies apply to Actions not Resources. Since you can invent new Actions can you invent new types of policies that apply to those actions?

Tim: Yes.
Simon: Does the policy language presented allow for procedural side effects?
Tim: No.
????: Why use "not-lessOrEqual" instead of "greaterThan".
Tim: No real reason. Perhaps because the current language is logically complete.
????: Is the Entrust proposal the only one on the table?
Simon: He asked for proposals and models some time ago. Everyone is free to submit their proposals to the list.
Simon: Is there some XML language that defines logical expressions? (Reference BPML and BPRL).
All: No.
Tim: We want to start from a base proposal, test it against our requirements and extend as necessary. How do we proceed?

????: We need a formal mechanism for adopting any models
3:49 PM
Pierangela Samarati - Lessons Learned from Twelve Years in Authorization Research
-       <include Pierangela's presentations>
????: Why do you call them Recursize Authorizations?
Simon: The could also be called "Cascading Authorizations".
Suresh: Expand on the authorization types.
Pierangela:
LDH: local DTD hard
RDH: recursive DTD hard
L: local
R: recursive
LD: local DTD
RD: recursive DTD
LS: local soft
RS: recursive soft
????: Why allow IP addresses as part of the Authorization Policy considering you may not be able to obtain it?
All: It may be stupid, but people want it (so there).
Suresh: How much time did it take to develop the example policy?
Pierangela: The example is a toy, so the answer is meaningless.
????: Logical languages are a good vehicle for expressing the maximum range of policies.
All: Yeah, but no one can understand them.
Suresh: Can we obtain pointers to these papers?
4:23 PM
Simon interrupts to finish things that must be done.
Jeff Hodges: RFC 3060
o       Should derive the language from a model that can be accurately described.
o       Should first produce the model using a modeling language
o       <insert 3060 model slide>
o       Is 3060 exactly the model we want to use? Probably not. Does it contain a large amount of the stuff we need to define? Yes.

o One of the co-authors of 3060 has some significant problems with the model. Jeff can share these.
Simon: Pierangela should provide references to existing work. We should start from an existing model. We should fill in the gaps.

Jeff: We need to seriously research past efforts.
Action Items:
1. Suresh is Use Case editor. Hand your Use Cases to Suresh within the next two weeks (8/1/2001).
2. Policy Model formation: post what you know and what you've got. Submit all input models by 7/25/2001. Ernesto is the co-ordinating editor.

7/26 - procedural, timing, schedules
8/9 - Use Case discussion
8/23 - Model discussion
9/6 -
4:44 PM
Michiharu Kudo - XACL, XML Access Control Language
- <include Michiharu's presentation>
Simon: (slide 16). Provisional actions are not a policy expression, but rather functions that need to be executed?
Michiharu: Yes and no. XACL has no language for expressing complicated provisions, but it could.
Simon: What happens if one of the functions fails?
Michiharu: If decision was "grant" it turns to "deny".
Simon: What happens to the remaining provisional functions?
Michiharu: Roll-back (or something like that)?
????: If the provisional actions where "encrypt then log" and "log" failed due to a full disk, what happens to the encrypt action?

Michiharu: Difficult question. If disk is full we are in a dangerous state?
Fred: Perhaps the whole thing could be viewed as transactional in nature.
Simon: So everything would roll back to its previous state.

Notes taken by Ken Yagen (Gil's note were more thorough)
Attendance taken (9 members present, 2 on phone, 6 observers)
Meeting counts towards membership, but not against
Have Quorum
Agenda reviewed - no changes
David Parrot (Reuters) Presentation - MPEG 21 Permissioning
MPEG moving to all multimedia data - wide scope intellectual property
Many data types, all with different permissioning models and implementations
Digital Rights Management (DRM) - Managing Rights, Obligations, Audit trails across the entire value chain
Conditions under which access granted? - in Obligations (can be subdivided further)
Permissions - the most you can do with contents
Obligations - The least you must do in order to gain access
Trust Framework needed
Obligations - what are temporal ordering. Obligation before or after exercise right? Look in requirements submission to MPEG 21.

"Straight-Through" Rules Processing (Pass rules down from contributors through retuers to distributors, network service providers and customers)

RML method specify policies and rules - go out through products and feed into RDBMS, ecommerice admin (directories) exchange, web access, billing, real-time permissioning systems

Division of responsibilities between MPEG and Oasis? Each effort needs to define a scope and is in flux. MPEG moving far away from origins of A/V

How does MPEG org work? Working group of ISO; very formal; 300 members attend meeting; ISO - need to be part of a national standard body

Could we submit a proposed solution to MPEG? May make sense; study CFP that will come out (CFP for Rights Data Dictionary and Rights Expression Language)

Simon - Are we interested in pursuing what MPEG is up to?
Gil - XACML and DRM Scope overlap
Tim - acknowledge existence of requirements and discuss them
Powerpoint presentation will be posted
Fred Moses - Entitlenet HL7 Medical Use Cases Presentation
HL7 - Organization doing health standards work; HL7 Clinical Document Archtiecture - XML based ANSII standard
Medical Considerations - don't tell patient diagnosis of cancer because I want to tell him gently
HIPAA and other regulations
Simon - Hipaa - 25 Billion dollar rewrite of software
Header - contains reference id based ACL
Body - hierarchal with references to ACLs
Address subject wants to control access - not currently in domain model
P3P - specify preferences and site has P3P policy and intersects with site and see if there is a match; Publisher driven and no enforcement

No unique identifier for people (SSN not one, and people resist; Doctors have a registry)
Insurance Card is sort of an id but not watertight
Also unique identifier for referenced (ie abusive ex spouse)
User should control correlation amoung systems
In terms of XACML - this is a reported unique identifier; From a representation of policy don't care.
PHP - This uniquely identifies you and you are uniquely identified by this identifier
We know someone's authenticated because SAML tells us so
Protect fact that test occurred, not just the results
PHP - Also monitor who is requesting this (once or 20 times a week)
Physicians have complete access to everything and thus know about each other
Intent, not just the role of person - what do they intend to do? Audit and logging it is relevant to take action against

May be further restrictions on supplied information to yet another requestor This can be used for this purpose - do we need to be able to express intended use.

SG - Audience in Saml? SAML Audience avoid legal consequences
Higher order rule contains exception that implies another set of rules
Subset of rules to pass down access (republication rights)
What are the rights - what are the context. (location, time, etc)
Within standard preludes - talk about context
Latest version of SAML Schema - URI identifies context of permissions; within it, a set of strings (actions or context?) which is not bounded

How would we interact with HL7?
DRM Use Cases
PHP - Whole concept is wrong - must be linked to payment
EbXML Use Cases - Suresh
Group are sets of users; Roles are sets of privileges
Spell out distinction between roles and groups
Privilege versus Permission - what is the difference
Action Item - Must define difference between group and role
Saml had a similar discussion and chose role to mean group - need to be consistent in glossary
Take in realities of existing systems
Does it refer to AC over execution or posting/deleting to registry? On registry, not execution. Policy definition not stored in registry.

Admin issue use case is missing
How to integrate XACML schema with ebXML registry schema
Bindings for accessing
How to share ACP?
ACP for ACP (XACML would do that because it is XML)
Recursion issue (how far can you go? Or loops on conditions?)
Action Item: ebXML CPP/CPA should have more security use cases; Suresh will look for them
Agenda Bashing -
Jeff - RFC3060 Core Policy Model
Sandily - Web Services and how XACML will fit?
PHP - Will it be a web service? Can you use it to control Web Services?
Tim - our organization and work items
Simon - How our work relates to other work at Oasis? schema/grammer representation; SAML use XML Schema
Propose XACML will use XML Shema to represent XACML constructs; Seconded and debate - no debate, no objections, abstentions; so moved.

Throw our stuff to TREX to see what they would do with it.
Subcommittess - Formalize statement of work for each one. (6 of them)
Prioritize common themes in use cases
Domain Model Discussion
Saml defines assertion and protocol for exchanging them.
PIP - Environment Authority (information about environment that you "could" use for policy) Gil thinks should be outside and define environment assertion

LDAP couldn't solve the policy
Misunderstanding query - get me this pile of information from A to B OR let's take a request and evaluate against the policy

Vendors can right their own metapolicy (no war)
In TLS/SSL - mandatory to implement cyphersuites
Exposure - saml doesn't cover PIP.

Tim Moses - Entrust Presentation based on early standards work in 94-95
XACML Site has link to DTD and Schema
Resource sensitivity - introspection, data inside object
Content Based Access Control example
Entitlement attributes - attributes of a subject relevant to the policy
Actions are not hardcoded; policy is on actions, not just resource
Focused on authorization not just access
Compares properties of subjects and resources
Does not allow procedural sides effects (yes you can do this, but only if you can log)
Is there a namespace for logical expressions in XML (BPML? BRML? Financial Reporting Markup Language that is extensible with little namespaces could all use it)

Topic - when to close door to submissions?

Pierrangleo and Ernesto's Work
Access Control Policy Research
Five-tuple (Subject, object, action, type, +/-)
Performance - DOM is slow, SAX is more efficient, but only have partial view as go along, so cannot enforce authorization based on content not in path or portion you are looking at.

Looking at combination of policies - algebra for combining security policies (metapolicy related?)
Logic-based - must be deterministic so tradeoff of expressiveness and a simple restricted authz language

RFC3060
Derive language from model. An example of a model is 3060 - abstract model of how to do policy. Don't just sit down and write language, but define the model first and test it against use cases, then derive language.

Action Items
Use Case stuff to be done (Suresh is editor)
Simon will put out a couple DRM Use Cases
2 weeks to get use case submissions (August 1)
Suresh will give Admin use case a shot; Gil has some as well.
Policy Model
Identify models aware of and submit background material within 1 week (7/25)
Conference call dedicated to Use Cases (early Aug 9)
Conference call dedicated to Policy Model (late Aug 23)
Policy Model Proposals two weeks later (9/6)
7/26 dates and confirm schedule
Who collects references to input models?
Next Face to Face (2 days) near XML conference in San Jose or East Coast.
Look at language Sept/Oct

Michaharu Presentation on XACL
Provision-based Access Control Model
Provision (encrypt, log, verify, sign, write, delete, etc)
Allow but all provisional actions executed
Deny but all provisional actions must still be executed
If provision action fails, stop/rollback and deny
XACML include a subschema that supports triplet (subject, object, action) like XACL does.

Motion to adjuourn

XACML FTF1 Minutes 071801.doc