[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] Minutes of meeting
Hi,
A couple of extra notes covering the time from when Tim had to drop out (about 11:30 Eastern) to the end of the call.
Carlisle.
----------------------
Polar asked about "subset": can it do things like "is the current day Monday?" (or perhaps "is it currently the weekend?"), or do we need another predicate for this?
Simon raised a concern about knowing the context of an attribute in a <condition/> element. Will the AttributeNamespace always be enough to make it clear whether this is an attribute pertaining to the resource, or the subject, or the environment? This sort of context is available in the <target/> element, but not in <condition/>. Anne agreed, saying that something analogous to the "Holder" field of an X.509 Attribute Certificate would be nice. Simon will begin a list discussion on this topic.
Anne asked whether schema issues will be collected and tracked as policy model issues were (the answer is "yes"). Simon will post to the list a short write-up on the four issues left open at the end of today's discussion so that Ken can begin tracking these. (These issues are RuleId, extensions, core functions, and attribute designations in conditions.)
Carlisle will propose an agenda for next week's F2F meeting within a couple of days. Suggestions for specific topics to discuss are welcome.
----------
From: Tim Moses[SMTP:tim.moses@entrust.com]
Sent: Monday, April 15, 2002 1:36 PM
To: 'XACML'
Subject: [xacml] Minutes of meeting
Minutes of meeting
Topic: XACML schema
Date: 15 Apr 2002
Present: Ernesto Damiani, Anne Anderson, Simon Godik, Don Flinn, Konstantin Beznosov, Carlisle Adams, Tim Moses, Bill Parducci, Michiharu Kudo
Anne had asked on the list where she could obtain a tool for viewing schema in a structured fashion. Simon offered to check whether XML-Spy could produce the PDF presentation that Bill had provided for an earlier version. Later, on the list, Bill provided a PDF presentation of version 13b of the schema, and a link to the site where the tool was available.
The meeting then tackled the question of schema definitions for the <predicateExpression> and <predicate> elements.
Michiharu asked for the rationale behind the choice of name for the <predicateExpression> element, suggesting <logicalOperator> as an alternative. Tim explained that, in an XACML instance, elements in the substitution group of <predicateExpression> would contain predicates, functions and attributes, connected by logical operators. So, the name <predicateExpression> seemed to be a better description of the contents. Tim mentioned that he considers all the names in the schema open to discussion and change, if anyone wants to proposed alternatives.
There was discussion of the need for an <orderedAnd> element. The feeling of the meeting was that it could safely be left out of XACML Version 1.0.
Anne suggested that elements in the substitution group of <predicate>, <predicateExpression> and <attributeFunction> could have an identifier or location attribute that would help a PDP retrieve an implementation of the function associated with the element. Simon suggested that this should be addressed through configuration of the PDP. Michiharu described how XACL had tackled this question: there are no built-in predicates; rather a particular predicate is identified by a name attribute. Implementations have to find an implementation of the named predicate. After some discussion it was agreed that it was appropriate for XACML to define some common predicates. Anne offered to attempt to write an extension schema for the case of Java policy. From this we should be able to compare the relative difficulty of implementing new predicates through an extension schema or through a URI built into the base schema.
Simon asked about the use of an identifier for predicates, in order to support macro expansion. Tim said that he thought <rule> was the most elementary component that could be independently referenced. <rule>, <policyStatement> and <policySetStatement> each contain an id attribute. A macro could be styled as a <rule> with no target. Alternatively, macros could be implemented in a private fashion, always being expanded in any public interchange. Simon was happy with these alternatives, provided that the identifier attributes in <rule>, <policyStatement> and <policySetStatement> is satisfactory.
Carlisle asked about the "minOccurs=0" facet value in the predicate type definitions. Polar said that the 0 value would allow predictable behaviour when a <predicateExpression> containing zero <predicate> elements is written by a machine.
There was a discussion of type-compatibility in the predicates and functions. Konstantin suggested that only variables of identical type should be compared in a predicate. Simon suggested that the existing functions (plus, minus, etc.) should be limited to numbers. If we need similar functions for currency and dates, then separate functions should be defined. Simon offered to develop an extended list of functions for inclusion in XACML v1.0 to cover (for instance) currency and dates.
Bill offered to provide a definitive reference for regular expressions.
Simon asked for clarification of the types of <attributeFunction> that could be included in a <patternMatch> predicate. Tim said that only string operations are allowed.
-----------------------------------------
Tim Moses
Tel: 613.270.3183
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC