[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes of XACML TC Meeting of May 1 2003
Attendees: (voting
members) Michiharu
Kudo, Anne
Anderson, Steve
Crocker -- scribe, Simon
Godik, Bill
Parducci, Hal
Lockhart, Steve
Anderson, Daniel
Engovatov, Tim
Moses. (prospective
member) Frank
Siebenlist Quorum
was reached. Meeting brought to order. 1)
Hal reported on his talk at the Network Applications Consortium (NAC)
Spring Meeting. NAC is a meeting of
senior technical people (architects, etc.).
Organizations may not join so marketing 'spin' is kept to a minimum.
This year's two day meeting was centered around the theme of moving
authorization into the infrastructure.
Three real world scenarios were posed to six vendors, of which Hal was
the one who covered XACML and SAML. The
vendors spoke on the topic of how their products would address the three
scenarios. A
lot of interest was shown in the standardized access control languages. Some discussion took place on what level of
granularity should be covered by WAM (Web Access Method?) products. Vendors tended to a course grain approach,
Hal advocated a fine grain use. Hal
reported the Burton Group lead a discussion on standardized API's for
authorization at NAC. That led to a
brief discussion in our phone meeting on api's.
Mention was made of GARP API, the Open Group API, SAML authorization
decision request as an API, and the Global Grid Forum. Frank said he worked in the same group as
Cliff Newman of the GARP API but more promise now lies with the Global Grid
Forum. Frank is going to send pointers
and summary information on the Grid api system and its concentration on port
types. In
summary, Hal reported that there was a "large appetite" for something
like XACML and over the couple few years we can look forward to wide adoption
of XACML. 2)
Item
A: Fully specify hierarchical resources Simon got no feedback yet on his
writeup. Comments from Seth Proctor got waylaid but will be forwarded
by Anne. Simon and Hal clarified that the intended use of
hierarchical resources is in the specification of a policy's target (e.g.
this policy applies to all objects under this node in a tree), not
in the specification of a request (e.g. a single request can not
ask for authorization of an action for all objects under a node in
the tree). solutions to the work items. Item
I: Add an ID Attribute so can reference elements easily for use with Digital Signatures Simon proposes an XPath ID type as a
candidate for this attribute type.
He is proposing changing the an anyURI type to a type ID. There was some discussion about issues of
signing a policy when the policy contains references to XML. Item
B: Deterministic algorithm for combining
obligations Item
G: Obligations in Rule Element Michiharu-- items B and G are not yet
done. On item G, he wants to hear more on extensions to obligations. Item
E: Condition References Item
F: Properties for Conditions Michiharu-- first proposals for these
items have been posted. Item
C: References to Rules. Anne will repost the proposal for more
comments. It seems to have been lost in the flurry. Item
H: Define any elements needed in the
XACML schema for use by a Digital Signature envelope for XACML Anne stated that this is dropped, the
SAML attribute is sufficient. Simon and Anne had a discussion on why
then do we need the ID attribute (Item I)? Anne-- When you sign the top policy in
SAML, you need references to the policies. Simon-- The example in the Digital
Signature document shows you how to sign with a manifest. Anne-- The issue is that when
dereferencing a policyID, you may get a different policy. Various opinions on whether or not
digital signatures were too complex to be widely adopted and useful were
briefly discussed. 3)
Work Items beyond XACML 1.1 a)
Approaches for Policy combination and compilation. The comments by Maryann Hondo and Tony
Nadalin have not been received. General consensus (no vote) was obtained
that we've agreed to the high level architecture of his porposal
and we'll move forward with fleshing out the details. Tim discussed his writeup in terms of three items: 1) version 4 of the use cases. 2) an algorithm for combining/merging
policies into one policy. 3)
a map from WFDL service or ports to XACML components. (see the attachment to Tim's mail of Tim explained the mapping from WSPL to
XACML briefly as summarized here: A service on a WSPL port maps to an XACML
PolicySet (PS) with a resource specifying the port and an
action specifying the service. Each aspect of the service on the port
maps to a distinct policy under the PS.
E.g. reliable-messaging maps to one policy, cryptographic security to another policy and privacy to
a third policy. These policies are combined by the PS as a
conjuction (by a deny-overrides algorithm). These policies combine their rules as a
disjuction (using a permit-overrides algorithm). The condition in each rule must be a conjunction of predicates. Feedback was it will need to be more
readable, perhaps by starting with an example. The version of WSPL referenced needs to
be clearly stated as the terminology has changed from version
1.0. This will come out sometime after 1.1, as a profile for XACML. A target date was set for when we vote
for submission of this spec as a standard. We'll vote on it at the last general body
meeting in September. Meeting
was adjorned. Next
weeks focus group adjenda is a return back to 1.1 work items. Namely: 1)
Hierarchical resources proposal 2)
attribute ID's 3)
other items. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]