Minutes of the XACML Face To Face, 2001-07-18

["Simon Y. Blackwell" <sblackwell@psoom.com>]

Here are the complete minutes. My thanks again to all that participated.
Review these and you will see we covered a huge amount of ground for one
day. I think we'll need two days for the next face-to-face. We missed some
valuable stuff from Pierangela and Michiharu due to the time squeeze at the
end.

----------------------------------------------------------------------------
---------------

Minutes of the XACML Face To Face, July 18th, 2001
Sofitel San Francisco Bay, Redwood City, California, USA

Summary

Upon query at close most participants were of the opinion the meeting was
productive. The relationship of XACML to digital rights management came up
several times. Use case discussions regarding health care and ebXML were
fruitful, but more work is needed. The importance of distinguishing between
"roles" and "groups" was uncovered. After a brief discussion of TREX, there
was a binding vote to use the W3C XML Schema specification for the
specification of XACML. The domain model was discussed in detail. The
importance of "meta policy" to ensure predictable policy behavior across
vendors was uncovered. The importance of a glossary and well defined terms
was evident most of the day, e.g. the general use of the term "query" can
result in confusion since there is a distinction between "querying for an
access decision" and "querying for a policy specification". Clarification of
scope for XACML v1.0 was pursued along with the creation of a calendar of
deliverables and meeting agendas, i.e. August 1st use case submission,
August 9th use case discussion, August 23rd policy model discussion,
September 9th policy model proposals. These were pushed out for vote during
the July 26th conference call due to lack of a quorum in the afternoon.
Discussion was also initiated regarding plans for the next face to face.
Further discussion was scheduled for the next conference call.

Raw minutes as authored by Ken Yagen and Gilbert Pilz can be found at
http://lists.oasis-open.org/archives/xacml/200107/msg00033.html.

Action Items

Post MPEG links to list - Dave Parrott (done by Thomas Hardjono)
Explore OASIS/MPEG or ISO co-operation - Simon Blackwell
Start list thread on roles vs. groups - Simon Blackwell (done)
Advise TREX TC of W3C Schema vs. TREX decision - Simon Blackwell
Post presentations to list - Dave Parrott, Fred Modes, Suresh Damodaran,
Pierangela Samarati (done)
Post 3060 issues from co-author to list - Jeff Hodges
Look into admin use cases - Suresh Damodaran and Gilbert Pilz
Consolidate policy model info - Simon Blackwell (I have enlisted Ernesto to
support me in this)  
Discuss calendar on July 26th conference call - All (done)

Details

09:00 Roll Call (Ken Yagen)

9 Voting Members Present 
Ken Yagen, Crosslogix 
Fred Moses, Entitlenet 
Joe Pato, HP (Late)
Gilbert Pilz, Jamcracker 
Jeff Hodges, Oblix 
Simon Blackwell, Psoom
Bill Parducci, Self 
Suresh Damodaran, SterlingCommerce 
Philip Hallam-Baker, Verisign 
Tim Moses, Entrust 

3 Voting Members Via Phone 
Carlisle Adams, Entrust (Voting as of this meeting)
David Parrott, Reuters 
Michiharu Kudoh, IBM

Probationary Members Present
Sandilya Garimella, BEA 
Pierangela Samarati, U.Milan

Observers 
Gary Ellison, Sun Microsystems 
Mohnish Harisiganey, Crosslogix 
Simon Godik, Crosslogix 
Mingde Xu, Crosslogix 
Frank Chum, Psoom 
Merlin Hughes, Baltimore 
 
09:05 Opening Remarks and Agenda Review (Simon Blackwell)

Thanks to Crosslogix (Note: it's cheaper to sponsor than it is to fly to
Texas).
 
Meeting counts towards membership, but not against. Probationary members
meeting membership requirements as a result of attendance today can vote.
Hence, we have a quorum.

09:00-09:15   Roll call & welcome (Simon Blackwell)
09:15-10:00   Reuter's Requirements For DRM (Dave Parrott)
10:00-10:45   Health Care Use Cases (Fred Moses)
10:45-11:00   Break
11:00-11:45   DRM Use Cases (Philip Hallam-Baker/Thomas Hardjono)
11:45-12:30   ebXML Use Cases (Suresh Damodaran)
12:30-13:30   Un-hosted lunch
13:30-14:15   Use Case Session 4 (Open)
14:15-15:00   Domain Model (Gilbert Pilz)
15:00-15:15   Break
15:15-16:00   Entrust Preliminary Proposal (Tim Moses)
16:00-16:45   TBD (Pierangela Samarati), XACL (Michiharu Kudo)
16:45-17:00   Closing Remarks

Agenda accepted with no changes

9:10  Report on Reuter's Requirements For DRM (Dave Parrott)

MPEG-21 is standardizing content protection mechanisms. See Reuter's
Requirements in the document repository
http://www.oasis-open.org/committees/xacml/docs/response-v1.0-public.doc and
the presentation in the list archives
http://lists.oasis-open.org/archives/xacml/200107/msg00026.html.

Dave Parrott clarified "obligations" as a result of questions. "Obligations"
are conditions on access. They may be the set of circumstances required to
allow access or the set of circumstances required post access, e.g. You must
include my branding info when you display this data. "Obligations" imply no
sense of temporal ordering. Obligations could have been distinguished by
name between pre-conditions that must be satisfied to obtain access and
post-conditions that must be satisfied after access has been granted, but
they weren't.
 
A general discussion of the nature of MPEG ensued. MPEG-21s boundaries like
that of other work, e.g. XKMS, are not yet well defined. MPEG is part of ISO
so their activities are bounded by ISO. It is very formal and very active.
It meets four times per year, plus has a large number of ad hoc meetings.
Currently there is MPEG-4, MPEG-7, and MPEG-21. Requirements are solicited
from the members, a request for proposal is released and final features are
cherry picked. No formal membership relationship between MPEG and OASIS due
to ISO membership requirements.

This was followed by a discussion of how to co-operate with MPEG. It was
suggested we submit XACML for consideration as part of the standard. Some
general uneasiness was expressed due to the size and formal nature of MPEG.
Simon Blackwell said he would pursue how OASIS can co-operate with ISO/MPEG
through OASIS management. Dave Parrott said he would post to the list links
to MPEG-21 requirements when they are officially published.

A discussion of whether or not DRM is in scope ensued and was tabled in the
interest of time.

10:04 Health Care Use Cases (Fred Moses)

Slides available at
http://lists.oasis-open.org/archives/xacml/200107/msg00050.html. (The link
in the document archives is currently broken).

Simon Blackwell made a point about how important medical work is. The Health
Insurance Portability And Accountability Act has a lot of security
provisions and is estimated to cause a $25,000,000,000 re-write of existing
systems.

A general discussion ensued regarding the "broken" nature of HL7s current
security. This included discussion of the need for/problems with global
identifiers. P3P also came up. Simon Blackwell pointed out that P3P is about
publishers saying what they will do with information that is collected, it
is not about enforcement of data subject preferences after data is
collected.

Discussion with respect to specific slides led to these further comments:

- The fact that the HIV test occurred at all, not just its result, is a
piece of information that needs to be protected.
- The frequency and type of authorization attempts is information that needs
to be captured and monitored.
- The European Privacy guide speaks a lot about intent. Its not simply a
matter of what you did, but what you intended to do.  
(Post Meeting Notes Enhancement: See
http://sansone.crema.unimi.it/~samarati/Papers/sec01.ps in which Pierangela
Samarati discusses the issue of intent.)
- Unless rules follow the data when the restrictions are overridden there is
no way for the entity that obtained the data to comply with the
restrictions. This brings us back to work that has been done in the DRM
space.

A broader discussion about whether "overrides" should be handled with the
Authorization Model or whether they should be considered to be out-of-band
and not covered in the Authorization Model ensued. Gilbert Pilz pointed out
that overrides are just "higher order" rules that contain exceptions that
reference other rules.

Bill Parducci asked if we need to worry about nested sub-access schemes
where, for instance, the billing personnel have access to one level of
information and they, in turn, grant rights to the mailing personnel for an
even smaller subset of the information. Simon Blackwell pointed out this
brings us back to the DRM space again with the "re-publish rights" problem.

This lead to discussion of whether we specify the kinds of rights and types
of contexts parameters available or do we leave this open. Consensus
appeared to be that we layer our specification and provide some general
common set of rights but provide for its extension. SAML is doing something
similar with URIs.

Simon Blackwell also introduced the issue of intent, not just the role of
person - what do they intend to do? Although intent may be something that
can't be effectively managed at a PEP, audit and logging info can be used
for post actions.

10:48 AM Break 

11:04 Health Care Use Cases (continued)

A brief discussion of how to co-ordinate with HL7 ensued with no definitive
result. Anyone can join HL7 and they have a very active security contingent.

11:07 DRM Use Cases (Philip Hallam-Baker)

Philip Hallam-Baker was not prepared to discuss this topic as a result of a
communication error on the part of the chair, Simon Blackwell, prior to the
meeting. He did comment that "DRM is completely wrong. Instead of trying to
protect content they should concentrate on payment." A brief discussion of
the concept "DRM" ensued, wherein it was pointed out that Reuter's also
finds the term somewhat misleading since it should be called "digital rights
enforcement."

11:09 ebXML Use Cases (Suresh Damodaran)

There were not slides. A document was circulated and is now available in the
repository at
http://www.oasis-open.org/committees/xacml/docs/Registry-Usecase-report.doc.

Gilbert Pilz asked for clarification on the difference between Role and
Group. Several opinions were voiced. 
Roles are attributes of a Principal. Groups are collections of Principals
(Suresh). There is no real semantic distinction between Roles and Groups
(Phillip Hallam-Baker). Groups are sets of users. Roles are sets of
privileges. Roles can be activated dynamically. A user can choose to take on
a Role whereas they cannot choose to be or not be a member of a Group
(Pierangela Samarati). There was agreement to continue the discussion on the
list and ensure that we remain consistent with SAML.

Gilbert Pilz asked "How do you know whether a particular method requires
"read" or "write" access/permission?" Suresh Damodaran responded that "read"
means the "read method", "write" means the "write method". This presupposes
that all objects implement methods called "read" and "write". This evolved
into a somewhat confusing discussion that resulted from a lack of
distinction in language between what ebXML supports for providing access
controls on adding, modifying, or deleting entries in the registry versus
access control on the execution of processes defined by entries in the
registry. Gilbert Pilz pointed out that CORBA solves the later by providing
another level of indirection that relates the rights required to execute a
given method. However, it became clear that the use cases under discussion
relate to the former, i.e. access control on using the registry itself.

Philip Hallam-Baker pointed out the need for an administration used case,
i.e. how does one administer policies. This resulted in a discussion of
"policies about policy access". Gilbert Pilz pointed out this could create
an infinite recursion. Consensus was reached that some "root" access control
policy needs to be defined to prevent this. Suresh Damodaran pointed out
this is part of the means by which ebXML registries can bootstrap
themselves.

12:03 Agenda Bashing (Simon Blackwell)

Jeff Hodges: Wishes to talk about RFC 3060. 
Sandilya: How does XACML apply to Web Services? 
Phil: Two questions: Will XACML be specified as a Web Service? Can XACML be
used to protect Web Services? 
Tim Moses: At some point we have to get down to the specifics about the work
to be done. 
Simon: I had hoped the sub-committees would self-define this work. However,
this has not happened, so we should start to define the work items. 

A comment by Simon Blackwell "How does our work relate to the other work at
OASIS? TREX et. al. We will have to decide about how we wish to represent
our schema, DTD's, TREX, XML Schema," lead to a short discussion regarding
this topic. It was pointed out that SAML uses W3C XML Schema and TREX is no
where near a standard yet. After this there was a vote that carried with no
abstentions or objections to adopt the W3C XML Schema specification for
XACML use. Simon Blackwell said he would notify the TREX TC.

Suresh: Would like to discuss RFC 2906. 
Suresh: Would like to go over the use cases and see if we can pull out any
common themes. 

12:20 Lunch 

13:45 Domain Model (Gilbert Pilz)

The current domain model is located at 

Initial discussion focused on clarifying what is in or out of scope. Policy
Information Point (Environment Authority) should be out of scope. Policy
Retrieval Point may be in scope from a protocol perspective since it
actually stores policies, e.g. stuff represented by XACML. PRP is defined in
RFC2904.

A separate topic of import, although more related to policy representation
directly than a domain model, came up. Will SAML  support more than a yes/no
decision from a PDP. The current thought is that it will only support
yes/no.

This lead to a more detailed discussion of the scope for XACML v1.0, i.e.
should it be constrained to the definition of just a grammar. There seemed
to be consensus that it should, but no vote could be taken due to lack of
quorum in the afternoon. Surrounding this was a discussion of querying a PDP
that got quite confusing given different uses for the term query. This was
resolved when it was made clear that there are at least these two
alternatives: "querying for an access decision" and "querying for a policy
specification".

The question also arose as to whether we should define a means to manipulate
policies. Consensus was that existing tools, i.e. XPath, XSLT, are adequate.

Next, Simon Godik brought up the issue of determinism, i.e. the same set of
policies interpreted by two vendor implementations may have different
results. Although there was some initial disagreement about how to avoid
this, consensus was that this needs to be avoided to promote
interoperability and standards acceptance. An extended conversation about
"meta policies" then ensued. Gilbert Pilz proposed slight modifications to
the domain model that made explicit the concepts of evaluation engine and
meta-policy. Jeff Hodges proposed that at a minimum we specify one
meta-policy that is a must implement part of the specification. He also
pointed out that the Ponder language makes use of meta-policy. The
conversation continued for some time with discussions about types of
meta-policies and strategies for incorporating them into XACML. This lead
back to XACML v1.0 scope discussions. The chair had to call the conversation
to a close in the interest of time since the meeting was now running late.
The topic was tabled for discussion during the next conference call with a
summary proposal that XACML v1.0 focus on "Creation of a policy expression
language based on a formal model that which when evaluated in the context of
a specific metapolicy will be deterministic. We will at least define 1
metapolicy that is mandatory to implement." .

15:20 Entrust Preliminary Proposal (Tim Moses)

The proposal can be found at
http://www.oasis-open.org/committees/xacml/docs/xacmlprop.doc.

Tim Moses - Entrust Presentation based on early standards work in 1994-95.
Specific comparisons made to and mechanisms provided for moving beyond the
subject,object,action triple. These include considering attributes of the
subject at runtime within the policy, i.e. free variables; resource
sensitivity ala military object partitioning, comparing properties of
subject and objects or even subjects relative to other subjects. Much of the
attribute oriented information can be mapped back to SAML work and various
attribute authorities in the domain model. In was noted that the logical
expressions within the language are somewhat limited, e.g. there is a
lessOrEqual but no greatThan. Tim Moses pointed out that they are logically
complete and could easily be extended. It was also noted that several XML
specifications are in need of logical expressions and Simon Blackwell asked
if anyone new of specification work focused just on logical expressions.

Simon Godik asked if the Entrust proposal is the only one on the table?
Simon Blackwell said it is but that he asked for proposals and models some
time ago. Everyone is free to submit their proposals to the list. There has
been no formal process for adoption defined yet. Tim Moses pointed out we
need a process to take a base proposal, test it against our requirements and
extend as  necessary. How do we proceed? Due to time constraints this topic
was not pursued.

15:50 Lessons Learned from Twelve Years in Authorization Research
(Pierangela Samarati)

A large number of references from Pierangela Samarati can be found at
http://www.oasis-open.org/committees/xacml/docs/docs.shtml.

The group was becoming increasingly pressed for time. Pierangela had a large
amount of research to present and ran through it very quickly. The reader of
these notes is encouraged to review the references above since many diagrams
and formulas were extracted directly from them. Many issues related to
policy conflict resolution were addressed at both a theoretic/algebraic and
visual/practical level. IP addresses showed up as an intrinsic part of one
mechanism, which was a point of concern since they are unreliable for
security purposes. However, it was pointed out that user's do implement
policy with them and do expect them to be present and we do need to pay
attention to satisfy users. It was noted that much of the work is
represented in logic languages and therefore somewhat un-approachable by
users and would take a long time to develop into a specification. Ernest
Damiania, a peer of Pierangela, granted the need for an XACML v1.0 that is
approachable, but reserved that the ability to do formal proofs in the
future could be valuable. There seemed to be some consensus on this.

Simon had to close of conversation in the interest of time.

16:23 RFC3060 (Jeff Hodges)

RFC3030 can be found at http://www.ietf.org/rfc/rfc3060.txt.

Jeff Hodges prefaced his comments by saying we need to derive our language
from a model that can be accurately described. We should first produce the
model using a modeling language. He commented that although 3060 is not
perfect and is probably not the model we want to use, it is a good example
and contains lots of useful information. He noted that one of the co-authors
of 3060 has some significant problems with the model. He said he would look
into getting these posted to the list. Simon Blackwell asked that Pierangela
provide references to existing work given her extensive background. 

This led to a discussion of schedules for deliverables for review and
conference call agendas, i.e. 

1. All policy model references to be submitted to the list by 2001-07-25.
(Note, this was revised to 2001-08-01 on the July 26th conference call)
2. Concall on 2001-07-26 to cover schedule issues
3. All use case proposals to be submitted to the list by 2001-08-01
4. Concall on 2001-08-09 to cover use cases
5. Concall on 2001-08-23 to cover policy models
6. Policy model proposals due 2001-09-06

16:44 PM XACL, XML Access Control Language (Michiharu Kudo)

Michiharu's slides can be found at
http://www.oasis-open.org/committees/xacml/docs/XACL.zip. XACL info can also
be found at http://www.trl.ibm.com/projects/xml/xacl/index.htm and
http://alphaworks.ibm.com/tech/xmlsecuritysuite.

XACL uses the fairly standard triplet (subject, object, action) plus adds
the of "provisional actions", functions that need to be executed when the
right granted by the policy is executed. He suggested that XACML should at a
minimum provide support for policy representations using the "standard"
approach without requiring additional functionality.

17:15 Meeting adjourned


------------------------------------------------------------------
To unsubscribe from this elist send a message with the single word
"unsubscribe" in the body to: xacml-request@lists.oasis-open.org

Simon Y. Blackwell 
CTO 
Psoom, Inc. 
Voice & Fax: 415-762-9787