[xacml] XACML June 20, 2002 Minutes

[Ken Yagen <kyagen@crosslogix.com>]

Title: XACML Conference Call Minutes

XACML Conference Call

Date:  Thursday, June 20, 2002

Time: 10:00 AM EDT

Tel: 512-225-3050 Access Code: 65998

 

Minutes of Meeting (Not an official meeting, so do not need to be approved)

 

Summary

F2F group summarized progress from first day. Questions were raised regarding minutes and context information. Main issue was the decision to split the schema and possibly the document as well. Some discussion was held on scheduling and having another F2F at the end of July.

 

Action Items

1. Ernesto to send to Anne non-normative examples of policy signatures after exams complete.
2. Ken to send out updated issues list in next week.
3. Anne needs one more week to put together single, concise example
4. Carlisle/Simon to release version 15 of spec in ~ 10 days.
5. Tim - first draft of Access Control background due 7/19
6. Set new due date for XACML primer from Hal and Konstantin
7. Hal to take over section 6 of specification. Hal agreed to propose something for section 6 regardless of XrML.
8. Examples to be created and posted to list showing useful split of schema
9. Tentative planning of final F2F at end of July (week of 22^nd or 29^th)

 

Action Items on Hold

1. Resolve IP issues with IBM. On hold waiting on OASIS to discuss IP issues with IBM in 1 to 1 ½ weeks.
2. Anne to go over request context with Eve Maler to see which parts make sense to fold into SAML after finalizing of SAML issue list. On hold, waiting for context issues to be resolved.

 

 

Votes

No official votes taken. Informal agreement to allow F2F group to continue forward with breaking schema into two parts - framework and extensions. (see F2F minutes for specifics)

 

Proposed Agenda:

11:30-11:35 Roll Call and Agenda Review

11:35-11:40 Vote to accept minutes of June 13 meeting

http://lists.oasis-open.org/archives/xacml/200206/msg00055.html

11:40-11:45 Review of Action Items (see 6/13 minutes)

11:45-12:30 Participation in on-going F2F meeting (Bill, Tim)

(see both sets of minutes posted to list on June 19th)

 

Roll Call

Simon Godik, Self

Ken Yagen, Crosslogix

Carlisle Adams, Entrust

Tim Moses, Entrust

Michiharu Kudoh, IBM

Bill Parducci, Self

Anne Anderson, Sun Microsystems

Gerald Brose, Xtradyne

Prospective

Daniel Engovatov, Crosslogix

 

 

Raw Minutes (taken by Ken Yagen)

 

Not enough for quorum so cannot approve minutes

 

Review of Action Items

1. Ken to send list of members to Tim and Michiharu

Complete

2. Anne to send message to Ernesto to ask him what he is doing on non-normative examples of policy signatures

Ernesto will send back to Anne what he has done after exams are complete

3. All - submit any issues related to SAML changes to issues list (no deadline assigned but SSTC is putting together a work list right now). Please highlight to Ken any issues so they can be grouped into issues list.

Waiting for resolution of request context before we can send the list to SAML. Also response context and multiple decisions.

4. Anne - go over request context with Eve Maler to see which parts make sense to fold into SAML.

Have given basic outline to Eve. Will approach after we are ready.

5. Ken to add request context and authz decision issues to SAML issue list

Some items maybe from F2F. Will send out updated issues list in next week.

6. Anne to submit single, more concise example by Face to Face

Need one more week.

7. All - review issues list and submit resolutions for issues that have been resolved by the TC or proposed resolutions for issues you believe can be closed. Also, provide any information on new issues not included in the list.

Ongoing

8. Tim to release version 14 of spec

Complete

9. Tim to lead Access Control background subcommittee

Begun over email. 7/19 for first draft.

Items on Hold

1. Waiting on OASIS to discuss IP issues with IBM in 1 to 1 ½ weeks
2. Hal to take over section 6 of specification (on hold until XrML issue resolved) Hal - maybe should propose something for section 6 anyways, regardless of XrML.
3. XACML primer from Hal and Konstantin needs new due date based on context work

 

Summary of F2F Day 1

Concentrated on context and "typing"

Main issue on typing is built in predicates and functions. Proposal is split current document and schema into two. Framework (policy statements, sets, rules down class diagram until reach predicates). Then an abstract type for predicate and function and concrete type definitions would be in second document extending schema of first document. Different function for each datatype. (ie date/time) Would define attribute types that are acceptable. (ie date + duration okay, date + date not). Moves extensibility point up to the abstract idea of a function. Functions have general characteristics which will be defined.

 

Got most of way through request context. Schema sent out this morning intended to reflect the discussions. Michiharu presented a problem we had not addressed before - PDP giving multiple decisions.

 

Carlisle - almost identical to what XRML is doing. Do not see the value but do not have objections.

 

General discussion could not give specific reasons for need for two documents.

 

Similar to SAML, may have different levels/grades of conformances - framework only or extensions as well.

 

Simon - predicate expressions will stay in main document. Will require conformance to core set of predicates.

 

Carlisle - Binding to programming languages?

Daniel - Raised before discussion standard function extensions.

 

Gerald - would help to see one or two concrete examples of useful split of framework and constraint language on the list.

 

Carlisle - comments on context. Action not always required?

Anne - Action is sometimes implied by the resource. You just want access, but not defined type of action. J2SE does this as well.

Carlisle - Attribute locator is xs:string, not any URI?

Simon - This element will be simplified.

Anne - Attribute designator as SAML uses is being used in two different ways in XACML. Attribute that appears in the context has all the information in it. In policy itself, just want to specify enough info to identify the attribute you want so can select it out of the context.

Carlisle - Use attribute designator in policy, attributes in context.

Anne - may want to use different term to reduce confusion with SAML.

Tim - not fully baked. Needs to be cleaned up and attribute locator will maybe be removed.

 

Carlisle - resource digest?

Simon - is a resource attribute.

Tim - Not reflected in schema, but will be in section 7. Having an identifier will allow attribute pointer in policy to point to the digest.

 

Carlisle - decision and obligation type not in context? Taking them from core policy schema?

Tim - Yes

 

Tim - Is there any objection to the split?

 

Ken - If this is a decision needed to make progress at rest of F2F, then should go ahead with it.

 

Carlisle - what is the sense of people in terms of making progress?

Tim - If can get typing and context out of way and reflected in v15 in next 10 days, then have technical work on LDAP profiles, then it's tidying up work.

 

Anne - Question - submission to OASIS, three companies have to say successfully using this. Defined as passing test cases.

 

Carlisle - Test cases will be an input context instance, policy instance and output context instance.

 

Anne - That does not require an LDAP profile, for example. Some of these profiles could be secondary documents later.

Tim - LDAP profile not required for conformance.

 

Carlisle - spec needs to be stable by end of July to give people time to implement in August. Will we need another F2F?

 

General feeling was that should plan for cleanup and would need quorum to take a vote on the spec.

 

F2F probably after SAML interop - week of 22^nd or 29^th of July. Give August for implementations and wording.

 

Possible implementations - Bill/Simon, IBM yes; Entrust, Sun, Hitachi, CrossLogix possible

 

V15 - Simon for schema and Carlisle to put it together.