OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [xacml] Anne's Notes on the F2F


Attached are Anne's notes on and schema issues from the F2F 7/30/02.

Don

=================
Don Flinn
Chief Security Architect
Quadrasis 
Hitachi Computer Products (America), Inc.
Tel: 781-768-5829
don.flinn@quadrasis.com


Title:  Notes: XACML Face-to-Face Meeting
Date:   30 July 2002
Author: Anne Anderson

Present: Polar, Hal, Don, Anne, Bill, Carlisle, Simon, Tim

AGENDA
======

July 30:

9:00-12:00 Walkthru of latest version of document and schema to identify
items to be discussed.

12:00-1:00 Lunch

1:00-5:00 Combine items from morning and items from schema subcommittee list
and discuss and resolve each

July 31: 

9:00-12:00 Continue discussion of items

12:00-1:00 Lunch

1:00-3:00 Presentation of Policy Signatures Examples and discussion

          Presentation of Conformance Test Cases and discussion

3:00-4:00 Work on identifiers section

4:00-5:00 Discuss conformance profiles

Aug 1:

9:00-10:00 Discuss security and privacy section

10:00-11:00 Presentation of LDAP Profile and discussion

11:00-12:00 Open for deferred or new items

12:00-1:00 Lunch

1:00-5:00 Review issues list for items to close or defer

30 July 2002

Goal: after end of 1 Aug 2002, all that is left to do to document is
to type in changes already agreed upon.

ACTION ITEMS:
- [Simon, 1 Aug 2002] Review glossary terms: missing, update.
- [Tim, 15 Aug 2002] Finish Background section.  Add Target.
- [Anne, 29 July 2002] Add simple example to Example section.
- [Simon, 1 Aug 2002] update and correct the existing example in
  Example section.
- [Anne, 30 July 2002] Give Simon list of edits sent to Tim on
  Examples.
- [Tim, 15 Aug 2002] Highlight boxes in XACML Context section to show
  which pieces are specified by XACML, and which are outside XACML
  scope.
- [Tim, 15 Aug 2002] Figure 1: update to show PDP has nothing to do
  directly with the PIP.  Replace "PDP" in the figure with a "context
  constructor" or something like that.  PDP interacts only with the
  "context constructor".
- [Bill, 1 Aug 2002] Check UML-ness of Figure 3 (Tim to give Bill a
  software copy), and update it.
- [Tim, 15 Aug 2002] Figure 3: add switch under "condition" so it can
  take function or attribute.
- [Tim, 15 Aug 2002] Section 4: label two "Target" sections
  appropriately (one is for Rule, other is for PolicyStatement).  Make
  it clear that, regardless of how target is generated, evaluation of
  policy is the same.
- [Simon, 15 Aug 2002] For each Policy syntax element, specify how PAP
  deals with it and how PDP deals with it.  Information needed to
  implement the semantics of the element correctly.
- [Bill, 1 Aug 2002] Generate XML Spy representation from the
  schemas.
- [Simon, 1 Aug 2002] Make all definitions in schema global.
- [Michiharu, 14 Aug 2002] Update SAML Profile XSLT, including how to
  put Obligations into a SAML 1.0 AuthorizationQueryResponse.
- [Hal, 14 Aug 2002] Add IPR section (required by OASIS).  Discuss
  IBM's claimed IP on obligations.
- [Anne, 14 Aug 2002] Update XML Digital Signature profile.
- [Anne, 14 Aug 2002] Update "XACML extensibility  points" to make
  sure it includes anything needed for J2SE extensions.
- [Hal, 14 Aug 2002] Write paragraph on pitfalls of negative rules for
  the "Security and privacy" section.
- [Don, 14 Aug 2002] Write up "threats" for "Security and privacy"
  section.
- [Michiharu, 14 Aug 2002] Generate XSLT to convert a Response into
  the minimal form used by Conformance Test cases.
- [Anne, 14 Aug 2002] Generate list of schema elements, combining
  algorithms, identifiers, functions, arranged by Section # for
  Conformance section of document.
- [Tim, 14 Aug 2002] Fold Background references into document
  references section.

DECISIONS

- Keep structure of the document the same: Non-normative sections,
  normative sections.
- Generate XML Spy representation of schemas, but publish this on the
  web site as a separate element.
- Use only global element references and global type definitions in
  the schema.  Example: Use <xs:element
  ref="xacml:PolicySetStatement"/>, rather than <xs:element
  name="PolicySetStatement" type="PolicySetStatementType"/>.  Naming
  convention: if element is "X", type is "XType".  Advantages:
  o consistency for readers of the schema.
  o can omit qualified elements and attributes.
  o makes sure names of elements stay same when type is same.
- Put function names and legal type combinations (Section 6) in an
  appendix.
- Put identifiers (Section 8) in an appendix.
- Put combining algorithms (Section 9) in an appendix.
- Profiles: a way of using XACML within a particular application
  context.
- Move LDAP profile into another section: this is "how to use LDAP to
  retrieve ID references in XACML", not "how to use XACML to implement
  LDAP access control"
- Conformance Tests: define "conformance" as taking a Request
  "consistent with" the specified Request.xml document, and taking the
  specified Policy.xml document, must produce a Response "consistent
  with" the specified Response.xml document.  "Consistent with" means
  must be capable of being converting algorithmically.
- "Successfully using" goal is that all mandatory-to-implement
  functionality be implemented and testable.  But, if don't have 3
  fully compliant implementations as we get close to Sept.1, we can
  redefine "successfully using" as a subset.
- Remove "Conformance Test" description of "conformant PAP".
- Commitments: Simon (OverXeer), Michiharu (IBM).  CrossLogix can't
  commit to be compliant by Sept. 1.  Reuters is implementing, but we
  don't know if they can commit for Sept. 1.  Carlisle will contact
  Reuters to see if they will commit.
- Acknowledgements section will include only voting members as of time
  of approval as an OASIS Committee Specification.
Title:   XACML schema issues
Author:  Anne Anderson
Version: 1.21, 02/07/29 (yy/mm/dd)
Source:  /net/labeast.east/files2/east/info/projects/isrg/xacml/docs/SCCS/s.SchemaIssues.txt

ISSUES:

34. [Michiharu] XPath Subset
    http://lists.oasis-open.org/archives/xacml/200207/msg00066.html
    http://lists.oasis-open.org/archives/xacml/200207/msg00162.html

    <AttributeSelector> is used to specify XPath expression in
    the <target> element. I am assuming that
    <AttributeDesignator> will be used for the expression without
    XPath. Four new functions are used to compare values.

      function:general-string-equal
      function:boolean
      function:node-equal
      function:xpath-match

    <XPathVersion> element in <Defaults> element is used to
    specify the version of the XPath expression used in the
    policy. Schema definition will be posted by Simon.

    OPEN: Simon and Michiharu will resolve this since they are
    the prime users of XPATH in XACML.

36. [Anne] attribute references and indeterminate results
    Long, verbose, religious, tedious thread starts with:
      http://lists.oasis-open.org/archives/xacml/200207/msg00071.html
    Subsidiary thread (pdp status element):
      http://lists.oasis-open.org/archives/xacml/200207/msg00140.html

    Some sub-issues and options

    Order of evaluation
    a. In what order MUST arguments be evaluated
       Implementation-dependent unless the function definition
       specifies an order.  orderedOr and orderedAne are the only
       standard functions we have defined that specifies an order.
    b. MUST all arguments be evaluated?
       No, if a result can be returned without evaluating all.  You
       could define a custom function that requires evaluating all
       arguments, but none of our standard functions does this.
    c. MAY all arguments be evaluated, even if not required to reach a
       function result?
       Yes, but can never change the overall result.

    Operational errors (e.g. divide by 0) and missing information
       (AttributeDesignator freturns empty set)
    a. Reporting of errors via the response obtained while evaluating
       a request by PDP:

       Reporting by PDP in the Response is optional.  PDP MAY include
       error information in the Status element of the Response.  PEP
       must not depend on the PDP supplying this information.

    b. Operational errors and missing information are handled as follows
       - Standard OR and ORDERED-OR implementation:

         Evaluate arguments in any order (or in specified order)
         IF (you receive an error or null AttributeDesignator result) {
             Go on to next argument evaluation unless all evaluated
             IF (you get at least one TRUE) {
                  return TRUE
             } ELSE {
                  return error (which may be a set of errors)
             }
         } ELSE IF (you get at least one TRUE) {
              return TRUE
         } ELSE {
              return FALSE
         }

       - Standard AND and ORDERED-AND implementation:

         Evaluate arguments in any order (or in specified order)
         IF (you receive an error) {
             Go on to next argument evaluation unless all evaluated
             IF (you get at least one FALSE) {
                  return FALSE
             } ELSE {
                  return error (which may be a set of errors)
             }
         } ELSE IF (you get at least one FALSE) {
              return FALSE
         } ELSE {
              return TRUE
         }

       - function:present: returns TRUE if argument is
         not {}.  Returns FALSE if argument is {}.  If evaluating
         argument results in an error, return error.
       - function:not  returns TRUE if argument is FALSE,
         returns FALSE if argument is TRUE.  If argument results in an
         error, return error.
       - Other standard functions: return "error" if any argument is an
         error or if an operational error in computing the function
         occurs.
       - Custom functions must behave like "Other standard functions"
         unless specific handling of errors is specified.

    c. What is Rule result if Condition evaluates to (exactly same as
       table in v15 of specification):
       - operational Error?
         INDETERMINATE(error=operational error)
       - "necessary information not available"?
         INDETERMINATE (error=missing information)
       - FALSE?
         NOT APPLICABLE
       - TRUE?
         PERMIT or DENY (as specified in rule's Effect)

    d. What is Rule result if Target evaluates to FALSE?
       NOT APPLICABLE

    e. Combining Algorithms must specify how PERMIT, DENY,
       INDETERMINATE, and NOT APPLICABLE are handled.  Standard
       algorithms already do this.

    f. If operational errors are reported, how is the type of
       error reported?
       Reported via Status element in Response

    CLOSED: See decisions above.

37. [Michiharu] Use of XPath with namespaces.
    http://lists.oasis-open.org/archives/xacml/200207/msg00056.html

    Namespace URI functions and Global Name functions.  Another
    option: namespace prefix in the XPATH expression, but this
    needs some assumptions on the target document.

    OPEN: Perhaps turn this over to Simon and Michiharu along
    with #34?

38. [Daniel] Split non-null-set-intersection function
    http://lists.oasis-open.org/archives/xacml/200207/msg00076.html [1)]
    [Tim] http://lists.oasis-open.org/archives/xacml/200207/msg00077.html

    Split non-null-set-intersection into intersection(list, list)
    - returning xs:list and not-empty(list), returning boolean.

    CLOSED: split function as suggested. (NOTE different closure from
    original)

44. [Simon] Schema for advice/status in xacml:Response
    http://lists.oasis-open.org/archives/xacml/200207/msg00126.html

    CLOSED: Use Response schema in 16a, which replaces xacml:Advice with
       xacml:Status schema.  XSLT that transforms xacml:Response into
       saml:AuthorizationDecisionResponse will translate certain
       xacml:Status values into saml:Advice elements.  Status is
       allowed with any DecisionType value (Permit, Deny,
       Indeterminate, NotApplicable).

45. [All] Can AttributeDesignator be simpler than XPATH?
    [Anne] http://lists.oasis-open.org/archives/xacml/200207/msg00095.html
    [Simon] http://lists.oasis-open.org/archives/xacml/200207/msg00130.html
    [Michiharu] http://lists.oasis-open.org/archives/xacml/200207/msg00131.html
    [Simon example] http://lists.oasis-open.org/archives/xacml/200207/msg00152.html

    CLOSED: Use Simon's proposal.  This 1) flattens the Context, 2)
    includes AttributeSelector (not mandatory to implement) for when
    you want/need to use XPATH, and 3) includes AttributeDesignator
    (mandatory) for referencing XACML-defined elements of the Request
    context.  Either XPATH or application-specific functions will be
    required for retrieving sub-components of an attribute or of the
    resource content.

46. [Anne] Replace saml:AssertionType with xacml:AssertionType
    http://lists.oasis-open.org/archives/xacml/200207/msg00097.html
    Error in mailing: "sequence" should be "choice".

    saml: Assertion currently referenced only in PolicySetType (as
       PolicyAssertion and PolicySetAssertion).  Should also have a
       Policy[Set]Designator in this list.  Note: we have no way in
       XACML syntax to refer to any elements an Assertion header.
       Only a Combining Algorithm could possibly refer to anything in
       an Assertion header.

    Options:
    1. Extend saml:AssertionType to include element
       ref="xacml:PolicySetStatement" and element
       ref="xacml:PolicyStatement"
    2. Define our own xacml:AssertionType.
    3. Don't try to deal with assertions in XACML schema at all.
       Remove AssertionDesignator, PolicySetAssertion, and
       PolicyAssertion from xacml:PolicySetType.

    CLOSED: #3.

49. [Michiharu] Which regular expression definition to use?
    http://lists.oasis-open.org/archives/xacml/200207/msg00129.html
    [Anne]http://lists.oasis-open.org/archives/xacml/200204/msg00132.html

    Options:
    1. Use definitions specified in XML Schema part 2: Datatypes,
       Appendix F Regular Expressions. (Bill says same as perl)
    2. Basic regular expressions (BRE) as defined in POSIX
       specification 2:
       http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003
    3. Extended regular expressions (ERE) as defined in POSIX
       specification 2 (these add an "or" metacharacter so you
       can match on one of multiple separate regular expressions)
       http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003
    4. Use whatever J2SE supports.

    OPEN: Anne (and any others) will investigate which
    definitions are implemented in freely available sources
    (e.g. J2SE).

52. [John Howard] Support OR in Target
    http://lists.oasis-open.org/archives/xacml-comment/200207/msg00000.html

    Supporting OR in Target, either explicitly or implicitly,
    would make merging Targets easier.

    Michiharu: important to support "Target Subject is manager OR
    Subject is secretary".  Currently need to handle this in
    Condition.

    OPEN: Defer until Face-to-Face.

55. [Anne] PDP response when no policies at all apply

    CLOSED: return NOTAPPLICABLE
       (Use a base policy with PolicyCombiner and Any-Targets if don't
       want this behavior).  Change Response context to have
       NOTAPPLICABLE as a fourth possible DecisionType choice.

Following added July 30 during walkthru of latest version of document and schema.

56. [Daniel] No-match cases in Rule truth table (Table 1)

    Are these correct?

    OPEN:    

57. [Simon] Should Rule Target be optional?

    If Policy target is computed by union of Rule targets, then Rule
    Target should not be optional.

    OPEN:

58. [Anne] Order schema definitions alphabetically?

    OPEN:

59. [Hal] How to specify semantics of functions.

    Options:
    o Cut and paste from XPATH 2.0
    o Omit >2 multiple operands from XACML

    OPEN:

60. [Simon] Keep Permit-overrides combining algorithms?

    OPEN: 

61. [All] Dynamic attributes: how are they referenced and retrieved?

    Define a schema for the "static context"?  This would be used for
    conveying cached attributes in the form of a Request Context
    between cooperating PDPs.

    CLOSED: Perhaps define such a schema for a later version of XACML.
    Dynamic attributes are referenced and retrieved through the
    "notional" XACML Request Context regardless of whether they are
    supplied by the PEP or retrieved from a PIP.

62. [Simon] DSML profile?

    OPEN: 

63. [Hal] Simplify AttributeDesignators within Target so not recursive?

    Target should be simple enough for a single LDAP retrieval to get
    the relevant policy, etc.

    OPEN:
    
64. Will this TC define a way for PolicyStatement or
    PolicySetStatement to be encapsulated in some sort of Assertion
    for transmission over the network.

    Define way for PolicySetStatement and PolicyStatement to be
    encapsulated in a saml:Assertion.  Current schema supports this
    since PolicySetStatement and PolicyStatement extend
    saml:StatementAbstractType.

    Option:
    1. Do not extend saml:StatementAbstractType in
       mandatory-to-implement XACML policy schema.  Define an optional
       extension to saml that extends AssertionType with
       xacml:PolicySetStatement and xacml:PolicyStatement.  Define
       non-mandatory XACML policy schema extension that defines these as
       extensions of saml:StatementAbstractType.

    CLOSED: #1.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC