[xacml] Minutes of Feb 11 Policy model subcommittee concall

[Pierangela Samarati <samarati@pinky.crema.unimi.it>]

MINUTES OF THE POLICY MODEL SUBCOMMITTEE (MONDAY, FEB. 11 2002)
===============================================================

PRESENT
* Anne Anderson (Sun) 
* Carlisle Adams (Entrust)
* Ernesto Damiani (Unimi)
* Simon Godik (Crosslogix)
* Polar Humenn
* Michiharu Kudoh (IBM)
* Fred Moses
* Pierangela Samarati (Unimi)

---------------------------------------------------------------

We discussed on the model proposal by Carlisle. The issues discussed
concerned:

- the format of policies (set of rules or boolean combinations of
  them?)

- the need for meta-policies (representing resolution conflicts or
  policy evaluation strategies depending on the types of policies or
  rules). Types could express the sign of rules (grant vs. deny) or
  other properties such as the authority that signed a policy.

- the need to support grant/deny. I believe at the F2F it was decided
  for permission (grant) only, but the supporting also deny we would
  be more expressive.

- need for policy merging and policy composition (Simon will provide a
  contribution for discussion).

As i was summarizing the discussion i saw the msg of Carlisle, who
actually captures in his msg the main points addressed, so instead of
repeating, i repeating his msg below ;-). 

At the end of the concall it was concluded that no decision could be
taken on the model proposed since people wanted to think of it a bit
more. Hopefully, in the meanwhile the new version of the draft should
arrive clarifying several doubts that seemed to be due to the fact
that some terms are intended differently by different people. The
revised glossary and document should provide a common reference point.

As an addition: Michihary posted a contribution for post-condition,
which was not discussed in the concall for lack of time (it was also
noted that we first need to define well the basis of the model and
then add postconditions; addressing all the issues together could
bring confusions). Also, Simon will be posting some contributions on
the model proposal for discussion.

best
-p


---------- Forwarded message ----------
Date: Tue, 12 Feb 2002 13:12:08 -0500
From: Carlisle Adams <carlisle.adams@entrust.com>
To: "'xacml@lists.oasis-open.org'" <xacml@lists.oasis-open.org>,
     'Polar Humenn' <polar@syr.edu>
Subject: RE: [xacml] Questions and Clarifications on the Concall

Hi Polar,

Good questions!  I have to admit that after the concall I walked away a bit
more confused myself.

In our glossary, "rule" is a predicate or a logical combination of
predicates, and "policy" is a set of rules (which I've always taken to be a
logical combination of rules, although the glossary doesn't explicitly say
so and, from what Pierangela was saying yesterday, she took it to be a
simple "OR" of rules).

In the proposal that I posted last Friday, I tried to make a couple of other
distinctions:  a rule does not have an applicability or target element,
whereas a policy does; and a rule has an explicit grant/deny indicator,
whereas a policy does not.

But in yesterday's call, Simon said that in his mind a rule does have an
applicability element (a R-A-S triple, which may be a simplified version of
the predicates contained in the rule).  Furthermore, he thinks that a policy
should have a grant/deny indicator (or at least grant, for now).  And, as I
mentioned above, Pierangela questioned whether there is any need for a
policy to have a combination of rules (i.e., either it is just a combination
of predicates, or it is implicitly understood that they are combined in an
OR).  Finally, Simon suggested that the smallest individual unit specified
by XACML should be a policy.

So now I really don't understand the difference between "policy" and "rule".
How are they different?  Do we need to distinguish between them?  Do we need
separate syntax for them?  Why not forget about rules altogether and say
that, for XACML, a logical combination of predicates, with a (possibly
simplified) applicability or target element, and with an explicit grant/deny
indicator, *is* a policy.  No mention of rules whatsoever (except possibly
in the "Related Terms" section that follows the glossary).

Is this acceptable, or is there an important distinction that needs to be
maintained in the syntax?

Note 1)  I think we still need to retain the concept of a higher-level
policy (e.g., a base policy) that specifies a logical combination of
sub-policy results.  The sub-policies may be included or referenced.

Note 2)  I think it would be useful to include the concept of a meta-policy
that specifies a logical combination of predicates about policy (e.g.,
grant/deny, or issuer, or issue date, or whatever).  I don't know how else
to be able to say general things like "policies from this authority always
override policies from that authority", or "denies always override grants",
or "policies issued in the past month always override older policies".

Carlisle.


> ----------
> From: 	Polar Humenn[SMTP:polar@syr.edu]
> Sent: 	Monday, February 11, 2002 6:19 PM
> To: 	'xacml@lists.oasis-open.org'
> Subject: 	[xacml] Questions and Clarifications on the Concall
> 
> I got the impression that we are generally scraping the notion of
> combining policys and predicates alike. Is that the case?
> 
> Will we have different syntax for:
> 1. Combination of Predicates. (Rules?)
> 2. Combinations of Rules (Policies?)
> 3. Combinations of Policies? (Meta-Policies?)
>