[xacml] Thurs pm minutes

[Tim Moses <tim.moses@entrust.com>]

Title: Thurs pm minutes

Colleagues - Here are the raw minutes of the Thursday discussions.  All the best.  Tim.

Minutes
XACML meeting
Afternoon 20th June 2002

Present:
Anne Anderson
Tim Moses
Daniel Engovatov
Bill Parducci
Simon Godik
Michiharu Kudoh

V 15 section 6 should be of the same style as section 5.

We intend to have updated schema available by 28 June.  Because the specification contains examples, it seems unlikely that we can update those to be consistent with the new schema by 28th June.

1. Context response

Simon wants to schedule a discussion on the use of AttributeDesignator in policy.
The 02c context schema will be modified to include the attributes that we won't call "SearchBase" and "Syntax".

Discussed the context response.  Discussed "advice".  Advice might be used for identifying missing attributes to the PEP by the PDP.

In the saml world, the samlp:response is an assertion and it has to be built from the response context.  The assertion may contain validity information.  Where does this come from?  Should we support a decision-caching model?  Validity is optional in the saml schema.

The identifier of the rule that was used to determine the decision is another attribute that may be returned in the response.

Advice will be an optional element.  It will not be mandatory to implement by either the PDP or PEP.  However, we will define one kind of advice: missing attributes.

We decided to leave out conditions in v 1.0.

Multiple responses - Response is unbounded.  Then resource is a sequence of decision, resource, obligations and advice.

Response is singular, sequence of decision.  Decision is a sequence of effect, resource (optional), obligations (optional) and advice.

Discussion of attribute designators in policy.  Simon describes the current solution: a free-form XPath into the context.  The alternative is to provide a designator that contains elements or attributes for the attribute meta-data.  The first alternative is powerful and flexible.  The second is straightforward and tuned to the application.  Simon advocates the first approach for resource and the second for everything else, particularly subject. 

Tim suggests that the specification could define some constants whose values are the XPath expressions into the context to retrieve particular attributes.

There was confusion over the ability of the "selector" profile of XPath to support the ".." operator.

Daniel suggests that the attribute designator may have to contain a SQL expression.  Maybe this should be considered after v 1.0.

In v1.0 we'll use the first approach with the "selector" subset of XPath. 
Suggested face-to-face July 30,31 and Aug 1 in Boston. 

Actions:
Background, TM, 19 July
Conformance, AA, 1 Aug ... conformance matrix and (later) test cases
Profiles - LDAP, TM, F2F7
Profiles - SAML, MK, 10 July ... XSLT transformation between req/res and context
Profiles - DSig, AA, 10 July
Profiles - XACML - XML resource, MK, 1 Aug
Example, SG, F2F7 ... replace saml request by XACML context
Context, TM, v15 ... treat like section 5
Identifiers, BP, v15
Security and privacy, JM, 8 July ... present at telecon
-----------------------------------------
Tim Moses
Tel: 613.270.3183