[xacml] Minutes of meeting

[Tim Moses <tim.moses@entrust.com>]

Title: Minutes of meeting

Minutes of meeting
Topic: XACML schema
Date: 15 Apr 2002
Present: Ernesto Damiani, Anne Anderson, Simon Godik, Don Flinn, Konstantin Beznosov, Carlisle Adams, Tim Moses, Bill Parducci, Michiharu Kudo

Anne had asked on the list where she could obtain a tool for viewing schema in a structured fashion.  Simon offered to check whether XML-Spy could produce the PDF presentation that Bill had provided for an earlier version.  Later, on the list, Bill provided a PDF presentation of version 13b of the schema, and a link to the site where the tool was available.

The meeting then tackled the question of schema definitions for the <predicateExpression> and <predicate> elements.

Michiharu asked for the rationale behind the choice of name for the <predicateExpression> element, suggesting <logicalOperator> as an alternative.  Tim explained that, in an XACML instance, elements in the substitution group of <predicateExpression> would contain predicates, functions and attributes, connected by logical operators.  So, the name <predicateExpression> seemed to be a better description of the contents.  Tim mentioned that he considers all the names in the schema open to discussion and change, if anyone wants to proposed alternatives.

There was discussion of the need for an <orderedAnd> element.  The feeling of the meeting was that it could safely be left out of XACML Version 1.0.

Anne suggested that elements in the substitution group of <predicate>, <predicateExpression> and <attributeFunction> could have an identifier or location attribute that would help a PDP retrieve an implementation of the function associated with the element.  Simon suggested that this should be addressed through configuration of the PDP.  Michiharu described how XACL had tackled this question: there are no built-in predicates; rather a particular predicate is identified by a name attribute.  Implementations have to find an implementation of the named predicate.  After some discussion it was agreed that it was appropriate for XACML to define some common predicates.  Anne offered to attempt to write an extension schema for the case of Java policy.  From this we should be able to compare the relative difficulty of implementing new predicates through an extension schema or through a URI built into the base schema.

Simon asked about the use of an identifier for predicates, in order to support macro expansion.  Tim said that he thought <rule> was the most elementary component that could be independently referenced.  <rule>, <policyStatement> and <policySetStatement> each contain an id attribute.  A macro could be styled as a <rule> with no target.  Alternatively, macros could be implemented in a private fashion, always being expanded in any public interchange.  Simon was happy with these alternatives, provided that the identifier attributes in <rule>, <policyStatement> and <policySetStatement> is satisfactory.

Carlisle asked about the "minOccurs=0" facet value in the predicate type definitions.  Polar said that the 0 value would allow predictable behaviour when a <predicateExpression> containing zero <predicate> elements is written by a machine.

There was a discussion of type-compatibility in the predicates and functions.  Konstantin suggested that only variables of identical type should be compared in a predicate.  Simon suggested that the existing functions (plus, minus, etc.) should be limited to numbers.  If we need similar functions for currency and dates, then separate functions should be defined.  Simon offered to develop an extended list of functions for inclusion in XACML v1.0 to cover (for instance) currency and dates.

Bill offered to provide a definitive reference for regular expressions.

Simon asked for clarification of the types of <attributeFunction> that could be included in a <patternMatch> predicate.  Tim said that only string operations are allowed.

-----------------------------------------
Tim Moses
Tel: 613.270.3183