[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Minutes of Feb 11 Policy model subcommittee concall
MINUTES OF THE POLICY MODEL SUBCOMMITTEE (MONDAY, FEB. 11 2002) =============================================================== PRESENT * Anne Anderson (Sun) * Carlisle Adams (Entrust) * Ernesto Damiani (Unimi) * Simon Godik (Crosslogix) * Polar Humenn * Michiharu Kudoh (IBM) * Fred Moses * Pierangela Samarati (Unimi) --------------------------------------------------------------- We discussed on the model proposal by Carlisle. The issues discussed concerned: - the format of policies (set of rules or boolean combinations of them?) - the need for meta-policies (representing resolution conflicts or policy evaluation strategies depending on the types of policies or rules). Types could express the sign of rules (grant vs. deny) or other properties such as the authority that signed a policy. - the need to support grant/deny. I believe at the F2F it was decided for permission (grant) only, but the supporting also deny we would be more expressive. - need for policy merging and policy composition (Simon will provide a contribution for discussion). As i was summarizing the discussion i saw the msg of Carlisle, who actually captures in his msg the main points addressed, so instead of repeating, i repeating his msg below ;-). At the end of the concall it was concluded that no decision could be taken on the model proposed since people wanted to think of it a bit more. Hopefully, in the meanwhile the new version of the draft should arrive clarifying several doubts that seemed to be due to the fact that some terms are intended differently by different people. The revised glossary and document should provide a common reference point. As an addition: Michihary posted a contribution for post-condition, which was not discussed in the concall for lack of time (it was also noted that we first need to define well the basis of the model and then add postconditions; addressing all the issues together could bring confusions). Also, Simon will be posting some contributions on the model proposal for discussion. best -p ---------- Forwarded message ---------- Date: Tue, 12 Feb 2002 13:12:08 -0500 From: Carlisle Adams <carlisle.adams@entrust.com> To: "'xacml@lists.oasis-open.org'" <xacml@lists.oasis-open.org>, 'Polar Humenn' <polar@syr.edu> Subject: RE: [xacml] Questions and Clarifications on the Concall Hi Polar, Good questions! I have to admit that after the concall I walked away a bit more confused myself. In our glossary, "rule" is a predicate or a logical combination of predicates, and "policy" is a set of rules (which I've always taken to be a logical combination of rules, although the glossary doesn't explicitly say so and, from what Pierangela was saying yesterday, she took it to be a simple "OR" of rules). In the proposal that I posted last Friday, I tried to make a couple of other distinctions: a rule does not have an applicability or target element, whereas a policy does; and a rule has an explicit grant/deny indicator, whereas a policy does not. But in yesterday's call, Simon said that in his mind a rule does have an applicability element (a R-A-S triple, which may be a simplified version of the predicates contained in the rule). Furthermore, he thinks that a policy should have a grant/deny indicator (or at least grant, for now). And, as I mentioned above, Pierangela questioned whether there is any need for a policy to have a combination of rules (i.e., either it is just a combination of predicates, or it is implicitly understood that they are combined in an OR). Finally, Simon suggested that the smallest individual unit specified by XACML should be a policy. So now I really don't understand the difference between "policy" and "rule". How are they different? Do we need to distinguish between them? Do we need separate syntax for them? Why not forget about rules altogether and say that, for XACML, a logical combination of predicates, with a (possibly simplified) applicability or target element, and with an explicit grant/deny indicator, *is* a policy. No mention of rules whatsoever (except possibly in the "Related Terms" section that follows the glossary). Is this acceptable, or is there an important distinction that needs to be maintained in the syntax? Note 1) I think we still need to retain the concept of a higher-level policy (e.g., a base policy) that specifies a logical combination of sub-policy results. The sub-policies may be included or referenced. Note 2) I think it would be useful to include the concept of a meta-policy that specifies a logical combination of predicates about policy (e.g., grant/deny, or issuer, or issue date, or whatever). I don't know how else to be able to say general things like "policies from this authority always override policies from that authority", or "denies always override grants", or "policies issued in the past month always override older policies". Carlisle. > ---------- > From: Polar Humenn[SMTP:polar@syr.edu] > Sent: Monday, February 11, 2002 6:19 PM > To: 'xacml@lists.oasis-open.org' > Subject: [xacml] Questions and Clarifications on the Concall > > I got the impression that we are generally scraping the notion of > combining policys and predicates alike. Is that the case? > > Will we have different syntax for: > 1. Combination of Predicates. (Rules?) > 2. Combinations of Rules (Policies?) > 3. Combinations of Policies? (Meta-Policies?) >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC