[xacml] milan f2f minutes

[Simon Godik <simon@godik.com>]

Raw minutes I took in Milan.

Simon

 

Monday, apr 22

Carlisle Adams
Don Flynn
Ann Anderson
Polar Humen
Michiharu Kudo
Simon Godik
Bill Parducci
Pierangela Samarati
Gerald Brose -- Xtradyne -observer

C: Vote to approve minutes of apr 18
approved.

Attributes in domain specific profiles.

Don Flinn:
Problem communicating attributes between companies
Spelling could be different, semantics could be different.

Security models: flat versus hierarchial groups.

How we communicate between entities?

Push model:
Attribute namespace could define specific attributes.
If 2 entities understand the namespace they can map one to the other.

Xacml would recommend to define standard namespaces and attribute sets.
Xacml would have namespace registration procedure.

P: How would you identify a namespace?
D: Organization could peak a keyword.
Ann: Why oasis needs to keep a registry?
D: Convinience. 2nd complexity: will store uri's, 3rd: this format you should
follow.
D: Another approach: cnt redirected to attribute translation service. It's
another way to do it, but it does not solve a problem
Ann: XACML may want to define a set of attribute names to refering to elements
in azn decision query.

Ann: Which entity is the owner of an attribute?
Don: Last thing: security models. For security models we define map between
them. EJB has flat namespace for roles. We may define how to translate.

day2, apr 23

Conformance discussion

Ernesto: Let's shorten doc but mention areas on which conformance should be
done
Polar: Break down by conformance level. For saml profile you should follow
certain steps.
Carl: goal here is bring a topic for discussion. Polar and Ken will take
charge of this.
Polar: Should it be a separate document? Could be put in the last chapter.
Usually conformance doc is very short.
Ann: If you've got several committees it's good to have several docs.
When we done we fold all docs.
Polar: Does oasis have conformance process?
Carslisle: They have conf tech committee. They offer help in conformance
process.

Interface with saml.

Carlisle: Interface with saml. Suggestion was made that we should not
tie to saml at all. We can define xacml assertion and specify saml profile.
That would allow other domains to be more comfortable with xacml.
Ann: One view is that saml is the thing everybody maps to. And everybody
maps to saml.
Bill: To have saml spelled out in our schema limits our appeal to a broad
audience. We need to be compliant with saml, but better have a level of
abstraction above that.
Ernesto: We were established as an addition to saml. Our role was to use
saml assertions and be comfortable that saml will become accepted.
Technically these two approaches are not different.
Polar: Experience at the omg shows problems with linking specs.
Michiharu: I do not have special objections to saml use (req-resp)
I would like to propose xacml context as abstraction layer to xacml
I do not have specific shema that is mandatory to use. I want to explain
my idea later.
Don: We need saml to pass credentials between systems.
Ernseto: saml namespace will specify specific version of saml. I do not see
a problem.
Carlisle: If we were to define our own format will be different?
Polar: no.
Michiharu: I do not assume any specific xacml assertion schema. My proposal
is to add transforms element that transforms any kind of saml request into
assertion neutral xacml context. If you write such transforms it is easy
to map between saml requests to xacml context. Ambiguity between saml request
and xacml context does not exist. We can avoid versioning problem.
Ernesto: For saml we can have empty xslt stylesheet.
Ann: In xacml it makes more sence to group assertions by the holder of
assertion. Then it's more direct to refer to particular assertion.
Ernesto: That's rearangement of the tree structure. Why do not we define
a structure for our assertions. Extension to this stylesheet could map
further assertion versions.
Ernesto: general concall will ratify proposal.

Security and privacy considerations.
Ann: privacy at the pep is different from privacy at the pdp etc.
Polar: all we want to do is to bring up some concerns such as giving
back more information with the response. Pep can filter this kind of
information.
Polar: policy integrity: it's important.
Ernesto: xml has this facilities already, such as dsig or element encryption.
We can check with w3c to see if these reqs could be satisfied.

Issue: Integrity and authenticity of a policy are out of scope.
Voted: !!!!! --> accepted.

xacml context proposal. (Michiharu)
Michiharu: This just an idea how to use xslt in the policy.
Polar: If you do put it in the policy statement, they may each have a
different transform, then different transforms should be run every time.
Also, transform depends on the input request.
Michiharu: I want to start for xacml context. It is not affected by saml
syntax.
Carlisle: What about response?
Ernesto: There will be cases when you go from saml to saml.
Ann: Are there 2 formats: saml and xacml context?
Ann: Transforming saml request once may be no costlier than evaluating
complicated expressions over saml assertions.
Michiharu: It depends on implementation.
Ernesto: We are going to define our own context. We can take saml schema
for now, but context definition is a part of a spec. It calls for a vote.
Carlisle: We can take votes assuming we have quorum.
Bill: I suggest writing it down and voting on a proposal.
Carlisle: we can arrange context in such a way that reference are simplier.
Bill: we have to revisit our charter.

IBM IP.
Michiharu: I can tell you about the contents of the patent.
This patent submitted in Japan is access control system for provisional 
actions. Access request
comes from the left (110), the box(10) is policy evaluation module and
box (20) is policy enforcement module. This module is focused on obligations
or provisional action. This module can have a set of enforcement plugin
modules such as logging, encryption, etc. For example, request comes in
and policy evaluation module determines if access is allowed or denied.
If it contains obligations (113) then they are sent to enforcement module.
If those external conditions are not satisfied the access denied is sent
back to the requestor.
Ernesto: We can ask for a letter from ibm similar to ebxml.
There are also issues on 'content guard' patients.
Carlisle: in the context of 'content guard' they would not be able to make
any determination before they have final spec.

Schema discussion.