Notes from Focus Group 14 August 2003

[Anne Anderson <Anne.Anderson@Sun.com>]

Present:
  Frank Siebenlist
  Anne Anderson
  Hal Lockhart
  Steve Crocker

There was no prior agenda, so topics discussed were at the
initiative of the attendees.

1. SAML Authz Req/Resp sidebar at SAML F2F

Frank Siebenlist expressed a preference for holding the proposed
working session between OGSA and XACML TC people on Tuesday or
Wednesday, rather than on Monday.  Anne has sent this preference
to the SSTC chairs.

Frank mentioned that Rebekah Lepro (bekah@nas.nasa.gov, working
on Grid projects at NASA Ames) has a lot of experience with the
difficulty of mapping Attributes between the SAML Attribute
format and the XACML Request format.  He hopes this can also be
addressed in SAML 2.0.

2. New web services policy language use case

Frank described a use case that occurs in the Grid environment
that is not currently included in the "Web-services policy
language use-Cases and requirements" document:

  Schedulers/Brokers match scientists needing computational
  resources (CPU cycles, disk space, bandwidth) with sites
  offering such resources.  Each site has its own policies
  regarding which scientists are authorized to use computational
  resources at that sites, and what limits exist on the use of
  such resources.  This means each site must have a way of
  publishing its access requirements for use by the
  Schedulers/Brokers.

It looks like the XACML Profile for Web-services could handle
this.  It might be easiest if the Profile allowed a published
policy or rule to include attributes of the applicable subjects
in the Target.

Frank said WS-Policy can't handle such a requirement.  It is
clearly in the access control domain, so it is XACML's business
to address it.

3. XACML Policy in SAML Response/Request Conditions

Hal asked for the use cases behind XACML 2.0 Work Items #16 and
17.

Anne said these came from Grid requirements, but also come up in
support of authorization decision optimization.

Use case for XACML Policy in Conditions of AuthzDecision:

An XACML Policy might be included in the response to an SAML
AuthorizationDecisionQuery in cases where a PDP associated with
the Initiator of a Request was unable to completely evaluate the
policy due to lack of information, but where another PDP
associated with the Resource has the missing information (but
perhaps not other information that was available to the first
PDP).  If the first PDP can return an AuthorizationDecision of
the form "Permit IF Condition", where the Condition contains a
partially evaluated policy stripped down to just the predicates
involving the missing information.

Use case#1 for XACML Policy in Conditions of AuthzDecisionQuery:

Used by a resource that has received a Request for services along
with an AuthorizationDecision of the above form.  It passes the
Condition containing the remaining policy to its own PDP for
evaluation.

Use case#2 for XACML Policy in Conditions of AuthzDecisionQuery:

A resource may have its own policy.  It receives requests
directly from subjects.  It passes its policy in the to the PDP
as part of the Conditions element of the SAML
AuthzDecisionQuery.

4. XACML TC FAQ

Hal mentioned that he has a message for the DSS TC that is sent
in response to requests for membership.  This message explains
that the requester should change their member status from
Prospective Member to Observer if they do not intend to
participate regularly in meetings.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692