[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] minutes of feb 04 telecon
Hi apologizing for the delay i am sending the minutes of the policy subcommittee concall of Monday Feb 04. best -p ============================================================ MINUTES OF THE POLICY MODEL SUBCOMMITTEE (MONDAY, JAN. 14 2002) =============================================================== PRESENT * Carlisle Adams (Entrust) * Anne Anderson (Sun) * Ernesto Damiani (Unimi) * Simon Godik (Crosslogix) * Polar Humenn * Michiharu Kudoh (IBM) * Hal Lockhart (Entegrity) * Tim Moses (Entrust) * Pierangela Samarati (Unimi) * Yu --------------------------------------------------------------- Tim reports that he is preparing version v.0.9 of the XACML_language_specification document incoporating the changes agreed at the F2F meeting held in LA. The discussion on the concall centers around the problem of policy composition and on the evaluation of boolean expressions on policies. It was quite a complex discussion that pointed out the possible need to rethink (or to better define) some of the current solution. Below are the main points addressed. Issues addresses: - definition and purpose of TARGET. There seems to be some confusion, at least in the mind of the scribe ;-) but it seems to be shared by others, on the concept and the use of target. Carlisle points out that the target essentially represent a ``condition'' on the access requests to which the attached policy refers and those it provides a way to avoid going into the evaluation of policies that do not apply to the request. Intuitively, a target is like a condition that should have appeared in AND with the others in all the rules in the attached policy. Hal says that target can be useful in many real life situations for specifying policies as the administrator explicitely stated to what set of access a set of rules applies. - outcome of policies and their combination. Proceedings on the discussion started at the F2F meeting, it is noted that outcome of policies is not only YES or NO but can have an alternative ``not applicable'' value, to this another possible value ``error'' seems to be needed. Anne also reports on her proposal (previously circulated via emal) about the use of ``if ... then.. `` rule for expressing policies. In her proposal the ``IF'' identifies the request to which a rule applies, if a request satisfies that then if the boolean expression in the THEN part is satisfied the response is ``allow'' otherwise it is ``deny''. If the IF part is not satisfied the response should be ``not applicable''. There is a discussion on what ``not applicable'' means. Hal points out the need for a default policy, to be applied if no target applies to the request. Tim points out that if the PEP sends a request to the PDP the PDP should return an error. Hal says that SAML would return a msg saying "indetermined status". Ernesto proposes defining an order on these values so that boolean operators can be applied as usual (and and or retain the usual behavior as long as the values on which they operate are organized in a lattice). The discussion proceeds on the different types on values and on what the intended combination should be. For instance, what should be the result between ``not applicable'' AND ``true''. The multivalue scheme that Ernesto is thinking of captures 4 values: false, true, lack of information, and not applicable. Ernesto and Polar say they will be thinking more about a possible lattice. Pierangela notes that there appears to be confusion in the policy combination since the current proposal does not distinguish between predicate evaluation and policy outcome. A predicate (i.e., one condition appearing in a rule) can either evaluate ``false'' ``true'' or ``notknown'' (in case the attribute is not provided). A policy can instead provide answes like ``allow'' ``deny'' or ``don't care''. The way we deal with ``notknown'' predicate evaluation and ``don't care'' policy decisions should not be the same. It might be possible to combine predicate evaluation and policy evaluation (as Anne notes policies can be nested, so a policy could appear where a predicate can) but we must be careful on how we combine them. Also ``don't care'' in policy decision means that we allow a policy to speak out in three different ways (and we should have a way to express that), this is independent from the ``not know'' in the predicate evaluation. - it is noted that one problem to be careful about is overlapping target. It might be that there is a clear semantics about boolean expressions within a target but what is target overlaps. How is the boolean expression associated with one target combined with the one associated with the other? Action: think along the discussion to clarify to ourselves the issues raised in the discussion towards constructive proposals for the next concall (monday Feb. 11)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC