[xacml] minutes of feb 04 telecon

[Pierangela Samarati <samarati@pinky.crema.unimi.it>]

Hi 

apologizing for the delay i am sending the minutes of the policy 
subcommittee concall of Monday Feb 04.

best
-p
============================================================

MINUTES OF THE POLICY MODEL SUBCOMMITTEE (MONDAY, JAN. 14 2002)
===============================================================

PRESENT
* Carlisle Adams (Entrust)
* Anne Anderson (Sun) 
* Ernesto Damiani (Unimi)
* Simon Godik (Crosslogix)
* Polar Humenn
* Michiharu Kudoh (IBM)
* Hal Lockhart (Entegrity)
* Tim Moses (Entrust)
* Pierangela Samarati (Unimi)
* Yu 

---------------------------------------------------------------

Tim reports that he is preparing version v.0.9 of the
XACML_language_specification document incoporating the changes agreed
at the F2F meeting held in LA.

The discussion on the concall centers around the problem of policy
composition and on the evaluation of boolean expressions on
policies. It was quite a complex discussion that pointed out the
possible need to rethink (or to better define) some of the current
solution. Below are the main points addressed.

Issues addresses:

- definition and purpose of TARGET. There seems to be some confusion,
  at least in the mind of the scribe ;-) but it seems to be shared by
  others, on the concept and the use of target. Carlisle points out
  that the target essentially represent a ``condition'' on the access
  requests to which the attached policy refers and those it provides a
  way to avoid going into the evaluation of policies that do not apply
  to the request. Intuitively, a target is like a condition that
  should have appeared in AND with the others in all the rules in the
  attached policy. Hal says that target can be useful in many real
  life situations for specifying policies as the administrator
  explicitely stated to what set of access a set of rules applies. 

- outcome of policies and their combination. Proceedings on the
  discussion started at the F2F meeting, it is noted that outcome of
  policies is not only YES or NO but can have an alternative ``not
  applicable'' value, to this another possible value ``error'' seems
  to be needed. Anne also reports on her proposal (previously
  circulated via emal) about the use of ``if ... then.. `` rule for
  expressing policies. In her proposal the ``IF'' identifies the
  request to which a rule applies, if a request satisfies that then if
  the boolean expression in the THEN part is satisfied the response is
  ``allow'' otherwise it is ``deny''. If the IF part is not satisfied
  the response should be ``not applicable''. There is a discussion on
  what ``not applicable'' means. Hal points out the need for a default
  policy, to be applied if no target applies to the request. Tim
  points out that if the PEP sends a request to the PDP the PDP should
  return an error. Hal says that SAML would return a msg saying
  "indetermined status".  Ernesto proposes defining an order on these
  values so that boolean operators can be applied as usual (and and or
  retain the usual behavior as long as the values on which they
  operate are organized in a lattice). The discussion proceeds on the
  different types on values and on what the intended combination
  should be. For instance, what should be the result between ``not
  applicable'' AND ``true''. The multivalue scheme that Ernesto is
  thinking of captures 4 values: false, true, lack of information, and
  not applicable. Ernesto and Polar say they will be thinking more
  about a possible lattice.  Pierangela notes that there appears to be
  confusion in the policy combination since the current proposal does
  not distinguish between predicate evaluation and policy outcome. A
  predicate (i.e., one condition appearing in a rule) can either
  evaluate ``false'' ``true'' or ``notknown'' (in case the attribute
  is not provided). A policy can instead provide answes like ``allow''
  ``deny'' or ``don't care''. The way we deal with ``notknown''
  predicate evaluation and ``don't care'' policy decisions should not
  be the same. It might be possible to combine predicate evaluation
  and policy evaluation (as Anne notes policies can be nested, so a
  policy could appear where a predicate can) but we must be careful on
  how we combine them. Also ``don't care'' in policy decision means
  that we allow a policy to speak out in three different ways (and we
  should have a way to express that), this is independent from the
  ``not know'' in the predicate evaluation.

- it is noted that one problem to be careful about is overlapping
  target. It might be that there is a clear semantics about boolean
  expressions within a target but what is target overlaps. How is the
  boolean expression associated with one target combined with the one
  associated with the other?

Action: think along the discussion to clarify to ourselves the issues
raised in the discussion towards constructive proposals for the next
concall (monday Feb. 11)