[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Anne's Notes on the F2F
Attached are Anne's notes on and schema issues from the F2F 7/30/02. Don ================= Don Flinn Chief Security Architect Quadrasis Hitachi Computer Products (America), Inc. Tel: 781-768-5829 don.flinn@quadrasis.com
Title: Notes: XACML Face-to-Face Meeting Date: 30 July 2002 Author: Anne Anderson Present: Polar, Hal, Don, Anne, Bill, Carlisle, Simon, Tim AGENDA ====== July 30: 9:00-12:00 Walkthru of latest version of document and schema to identify items to be discussed. 12:00-1:00 Lunch 1:00-5:00 Combine items from morning and items from schema subcommittee list and discuss and resolve each July 31: 9:00-12:00 Continue discussion of items 12:00-1:00 Lunch 1:00-3:00 Presentation of Policy Signatures Examples and discussion Presentation of Conformance Test Cases and discussion 3:00-4:00 Work on identifiers section 4:00-5:00 Discuss conformance profiles Aug 1: 9:00-10:00 Discuss security and privacy section 10:00-11:00 Presentation of LDAP Profile and discussion 11:00-12:00 Open for deferred or new items 12:00-1:00 Lunch 1:00-5:00 Review issues list for items to close or defer 30 July 2002 Goal: after end of 1 Aug 2002, all that is left to do to document is to type in changes already agreed upon. ACTION ITEMS: - [Simon, 1 Aug 2002] Review glossary terms: missing, update. - [Tim, 15 Aug 2002] Finish Background section. Add Target. - [Anne, 29 July 2002] Add simple example to Example section. - [Simon, 1 Aug 2002] update and correct the existing example in Example section. - [Anne, 30 July 2002] Give Simon list of edits sent to Tim on Examples. - [Tim, 15 Aug 2002] Highlight boxes in XACML Context section to show which pieces are specified by XACML, and which are outside XACML scope. - [Tim, 15 Aug 2002] Figure 1: update to show PDP has nothing to do directly with the PIP. Replace "PDP" in the figure with a "context constructor" or something like that. PDP interacts only with the "context constructor". - [Bill, 1 Aug 2002] Check UML-ness of Figure 3 (Tim to give Bill a software copy), and update it. - [Tim, 15 Aug 2002] Figure 3: add switch under "condition" so it can take function or attribute. - [Tim, 15 Aug 2002] Section 4: label two "Target" sections appropriately (one is for Rule, other is for PolicyStatement). Make it clear that, regardless of how target is generated, evaluation of policy is the same. - [Simon, 15 Aug 2002] For each Policy syntax element, specify how PAP deals with it and how PDP deals with it. Information needed to implement the semantics of the element correctly. - [Bill, 1 Aug 2002] Generate XML Spy representation from the schemas. - [Simon, 1 Aug 2002] Make all definitions in schema global. - [Michiharu, 14 Aug 2002] Update SAML Profile XSLT, including how to put Obligations into a SAML 1.0 AuthorizationQueryResponse. - [Hal, 14 Aug 2002] Add IPR section (required by OASIS). Discuss IBM's claimed IP on obligations. - [Anne, 14 Aug 2002] Update XML Digital Signature profile. - [Anne, 14 Aug 2002] Update "XACML extensibility points" to make sure it includes anything needed for J2SE extensions. - [Hal, 14 Aug 2002] Write paragraph on pitfalls of negative rules for the "Security and privacy" section. - [Don, 14 Aug 2002] Write up "threats" for "Security and privacy" section. - [Michiharu, 14 Aug 2002] Generate XSLT to convert a Response into the minimal form used by Conformance Test cases. - [Anne, 14 Aug 2002] Generate list of schema elements, combining algorithms, identifiers, functions, arranged by Section # for Conformance section of document. - [Tim, 14 Aug 2002] Fold Background references into document references section. DECISIONS - Keep structure of the document the same: Non-normative sections, normative sections. - Generate XML Spy representation of schemas, but publish this on the web site as a separate element. - Use only global element references and global type definitions in the schema. Example: Use <xs:element ref="xacml:PolicySetStatement"/>, rather than <xs:element name="PolicySetStatement" type="PolicySetStatementType"/>. Naming convention: if element is "X", type is "XType". Advantages: o consistency for readers of the schema. o can omit qualified elements and attributes. o makes sure names of elements stay same when type is same. - Put function names and legal type combinations (Section 6) in an appendix. - Put identifiers (Section 8) in an appendix. - Put combining algorithms (Section 9) in an appendix. - Profiles: a way of using XACML within a particular application context. - Move LDAP profile into another section: this is "how to use LDAP to retrieve ID references in XACML", not "how to use XACML to implement LDAP access control" - Conformance Tests: define "conformance" as taking a Request "consistent with" the specified Request.xml document, and taking the specified Policy.xml document, must produce a Response "consistent with" the specified Response.xml document. "Consistent with" means must be capable of being converting algorithmically. - "Successfully using" goal is that all mandatory-to-implement functionality be implemented and testable. But, if don't have 3 fully compliant implementations as we get close to Sept.1, we can redefine "successfully using" as a subset. - Remove "Conformance Test" description of "conformant PAP". - Commitments: Simon (OverXeer), Michiharu (IBM). CrossLogix can't commit to be compliant by Sept. 1. Reuters is implementing, but we don't know if they can commit for Sept. 1. Carlisle will contact Reuters to see if they will commit. - Acknowledgements section will include only voting members as of time of approval as an OASIS Committee Specification.
Title: XACML schema issues Author: Anne Anderson Version: 1.21, 02/07/29 (yy/mm/dd) Source: /net/labeast.east/files2/east/info/projects/isrg/xacml/docs/SCCS/s.SchemaIssues.txt ISSUES: 34. [Michiharu] XPath Subset http://lists.oasis-open.org/archives/xacml/200207/msg00066.html http://lists.oasis-open.org/archives/xacml/200207/msg00162.html <AttributeSelector> is used to specify XPath expression in the <target> element. I am assuming that <AttributeDesignator> will be used for the expression without XPath. Four new functions are used to compare values. function:general-string-equal function:boolean function:node-equal function:xpath-match <XPathVersion> element in <Defaults> element is used to specify the version of the XPath expression used in the policy. Schema definition will be posted by Simon. OPEN: Simon and Michiharu will resolve this since they are the prime users of XPATH in XACML. 36. [Anne] attribute references and indeterminate results Long, verbose, religious, tedious thread starts with: http://lists.oasis-open.org/archives/xacml/200207/msg00071.html Subsidiary thread (pdp status element): http://lists.oasis-open.org/archives/xacml/200207/msg00140.html Some sub-issues and options Order of evaluation a. In what order MUST arguments be evaluated Implementation-dependent unless the function definition specifies an order. orderedOr and orderedAne are the only standard functions we have defined that specifies an order. b. MUST all arguments be evaluated? No, if a result can be returned without evaluating all. You could define a custom function that requires evaluating all arguments, but none of our standard functions does this. c. MAY all arguments be evaluated, even if not required to reach a function result? Yes, but can never change the overall result. Operational errors (e.g. divide by 0) and missing information (AttributeDesignator freturns empty set) a. Reporting of errors via the response obtained while evaluating a request by PDP: Reporting by PDP in the Response is optional. PDP MAY include error information in the Status element of the Response. PEP must not depend on the PDP supplying this information. b. Operational errors and missing information are handled as follows - Standard OR and ORDERED-OR implementation: Evaluate arguments in any order (or in specified order) IF (you receive an error or null AttributeDesignator result) { Go on to next argument evaluation unless all evaluated IF (you get at least one TRUE) { return TRUE } ELSE { return error (which may be a set of errors) } } ELSE IF (you get at least one TRUE) { return TRUE } ELSE { return FALSE } - Standard AND and ORDERED-AND implementation: Evaluate arguments in any order (or in specified order) IF (you receive an error) { Go on to next argument evaluation unless all evaluated IF (you get at least one FALSE) { return FALSE } ELSE { return error (which may be a set of errors) } } ELSE IF (you get at least one FALSE) { return FALSE } ELSE { return TRUE } - function:present: returns TRUE if argument is not {}. Returns FALSE if argument is {}. If evaluating argument results in an error, return error. - function:not returns TRUE if argument is FALSE, returns FALSE if argument is TRUE. If argument results in an error, return error. - Other standard functions: return "error" if any argument is an error or if an operational error in computing the function occurs. - Custom functions must behave like "Other standard functions" unless specific handling of errors is specified. c. What is Rule result if Condition evaluates to (exactly same as table in v15 of specification): - operational Error? INDETERMINATE(error=operational error) - "necessary information not available"? INDETERMINATE (error=missing information) - FALSE? NOT APPLICABLE - TRUE? PERMIT or DENY (as specified in rule's Effect) d. What is Rule result if Target evaluates to FALSE? NOT APPLICABLE e. Combining Algorithms must specify how PERMIT, DENY, INDETERMINATE, and NOT APPLICABLE are handled. Standard algorithms already do this. f. If operational errors are reported, how is the type of error reported? Reported via Status element in Response CLOSED: See decisions above. 37. [Michiharu] Use of XPath with namespaces. http://lists.oasis-open.org/archives/xacml/200207/msg00056.html Namespace URI functions and Global Name functions. Another option: namespace prefix in the XPATH expression, but this needs some assumptions on the target document. OPEN: Perhaps turn this over to Simon and Michiharu along with #34? 38. [Daniel] Split non-null-set-intersection function http://lists.oasis-open.org/archives/xacml/200207/msg00076.html [1)] [Tim] http://lists.oasis-open.org/archives/xacml/200207/msg00077.html Split non-null-set-intersection into intersection(list, list) - returning xs:list and not-empty(list), returning boolean. CLOSED: split function as suggested. (NOTE different closure from original) 44. [Simon] Schema for advice/status in xacml:Response http://lists.oasis-open.org/archives/xacml/200207/msg00126.html CLOSED: Use Response schema in 16a, which replaces xacml:Advice with xacml:Status schema. XSLT that transforms xacml:Response into saml:AuthorizationDecisionResponse will translate certain xacml:Status values into saml:Advice elements. Status is allowed with any DecisionType value (Permit, Deny, Indeterminate, NotApplicable). 45. [All] Can AttributeDesignator be simpler than XPATH? [Anne] http://lists.oasis-open.org/archives/xacml/200207/msg00095.html [Simon] http://lists.oasis-open.org/archives/xacml/200207/msg00130.html [Michiharu] http://lists.oasis-open.org/archives/xacml/200207/msg00131.html [Simon example] http://lists.oasis-open.org/archives/xacml/200207/msg00152.html CLOSED: Use Simon's proposal. This 1) flattens the Context, 2) includes AttributeSelector (not mandatory to implement) for when you want/need to use XPATH, and 3) includes AttributeDesignator (mandatory) for referencing XACML-defined elements of the Request context. Either XPATH or application-specific functions will be required for retrieving sub-components of an attribute or of the resource content. 46. [Anne] Replace saml:AssertionType with xacml:AssertionType http://lists.oasis-open.org/archives/xacml/200207/msg00097.html Error in mailing: "sequence" should be "choice". saml: Assertion currently referenced only in PolicySetType (as PolicyAssertion and PolicySetAssertion). Should also have a Policy[Set]Designator in this list. Note: we have no way in XACML syntax to refer to any elements an Assertion header. Only a Combining Algorithm could possibly refer to anything in an Assertion header. Options: 1. Extend saml:AssertionType to include element ref="xacml:PolicySetStatement" and element ref="xacml:PolicyStatement" 2. Define our own xacml:AssertionType. 3. Don't try to deal with assertions in XACML schema at all. Remove AssertionDesignator, PolicySetAssertion, and PolicyAssertion from xacml:PolicySetType. CLOSED: #3. 49. [Michiharu] Which regular expression definition to use? http://lists.oasis-open.org/archives/xacml/200207/msg00129.html [Anne]http://lists.oasis-open.org/archives/xacml/200204/msg00132.html Options: 1. Use definitions specified in XML Schema part 2: Datatypes, Appendix F Regular Expressions. (Bill says same as perl) 2. Basic regular expressions (BRE) as defined in POSIX specification 2: http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003 3. Extended regular expressions (ERE) as defined in POSIX specification 2 (these add an "or" metacharacter so you can match on one of multiple separate regular expressions) http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003 4. Use whatever J2SE supports. OPEN: Anne (and any others) will investigate which definitions are implemented in freely available sources (e.g. J2SE). 52. [John Howard] Support OR in Target http://lists.oasis-open.org/archives/xacml-comment/200207/msg00000.html Supporting OR in Target, either explicitly or implicitly, would make merging Targets easier. Michiharu: important to support "Target Subject is manager OR Subject is secretary". Currently need to handle this in Condition. OPEN: Defer until Face-to-Face. 55. [Anne] PDP response when no policies at all apply CLOSED: return NOTAPPLICABLE (Use a base policy with PolicyCombiner and Any-Targets if don't want this behavior). Change Response context to have NOTAPPLICABLE as a fourth possible DecisionType choice. Following added July 30 during walkthru of latest version of document and schema. 56. [Daniel] No-match cases in Rule truth table (Table 1) Are these correct? OPEN: 57. [Simon] Should Rule Target be optional? If Policy target is computed by union of Rule targets, then Rule Target should not be optional. OPEN: 58. [Anne] Order schema definitions alphabetically? OPEN: 59. [Hal] How to specify semantics of functions. Options: o Cut and paste from XPATH 2.0 o Omit >2 multiple operands from XACML OPEN: 60. [Simon] Keep Permit-overrides combining algorithms? OPEN: 61. [All] Dynamic attributes: how are they referenced and retrieved? Define a schema for the "static context"? This would be used for conveying cached attributes in the form of a Request Context between cooperating PDPs. CLOSED: Perhaps define such a schema for a later version of XACML. Dynamic attributes are referenced and retrieved through the "notional" XACML Request Context regardless of whether they are supplied by the PEP or retrieved from a PIP. 62. [Simon] DSML profile? OPEN: 63. [Hal] Simplify AttributeDesignators within Target so not recursive? Target should be simple enough for a single LDAP retrieval to get the relevant policy, etc. OPEN: 64. Will this TC define a way for PolicyStatement or PolicySetStatement to be encapsulated in some sort of Assertion for transmission over the network. Define way for PolicySetStatement and PolicyStatement to be encapsulated in a saml:Assertion. Current schema supports this since PolicySetStatement and PolicyStatement extend saml:StatementAbstractType. Option: 1. Do not extend saml:StatementAbstractType in mandatory-to-implement XACML policy schema. Define an optional extension to saml that extends AssertionType with xacml:PolicySetStatement and xacml:PolicyStatement. Define non-mandatory XACML policy schema extension that defines these as extensions of saml:StatementAbstractType. CLOSED: #1.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC