updated minutes from Sept 18 2003 meeting

[Seth Proctor <Seth.Proctor@Sun.COM>]

In Attendance:
  Anne Anderson
  Steve Anderson
  Michiharu Kudo
  Hal Lockhart
  Tony Nadalin
  Seth Proctor
  Frank Siebenlist

Quorum was reached.

Hal started by addressing some administrative issues:

 1. Called the group's attention to the new TC process which has been
    approved. Of particular interest is the 20% requirement for standard
    approval (SAML 1.1 barely got 10%), though this is likely to change.
    Also, the attestation rules were changed so parties must be
    satisfied with IPR. [1]

 2. We approved the revised minutes from the September 4th meeting

 3. Bill and Hal will both be unavailable for the October 2nd meeting,
    so a temporary chair is needed. Anne Anderson volunteered.

 4. We agreed that the F2F will be October 20th (starting at noon) to
    October 22nd (ending at noon) at BEA in San Jose. Note that SAML
    will be meeting later that week, though not at BEA.

ITU Submission:

    Hal met two weeks ago with Karl Best and ITU reps. The ITU is
interested in SAML and XACML, but only in specifications that have gone
through the full process (i.e., are ratified OASIS Standards). The ITU
will not change the content of the specifications that they take, and
they will automatically take follow-on versions. OASIS can submit XACML
1.0 if they like, but they wanted feedback from the TC first.
    Tony asked what the value is, and the answer was that XACML becomes
a formal ITU spec that makes it available to a number of groups
(especially in government). It also gets more people to review the spec
and provide comments. Tony asked how we encorporate those comments, and
the answer was that we try to get them into 2.0.
    Hal raised the issue of what to submit (which was discussed on this
list previously), and suggested that we go with 1.0 now and then figure
out what else we'd like to push (i.e., 1.1 versus 2.0...ratifying 1.1
may be hard simply because we may not have 3 attestations). Frank asked
how long the process will take. Hal said we don't know, since this is
all new. Tony commented that this creates duplicate copies that have to
be mainted, and wondered if we could address the question of groups that
can't use OASIS specs rather than duplicating the XACML specs.
    Hal asked for a movement, and Anne moved that we submit 1.0. There
were 6 yes votes with Tony abstaining. We will submit 1.0

Results of SAML/XACML F2F:

    Anne prestented the results of the work done at the SSTC F2F. We
went in with 6 requirements for query/response and 5 other requirements.
Anne has sent out updated requirements and what the SSTC accepted:

  http://lists.oasis-open.org/archives/xacml/200309/msg00039.html

In a nutshell:

 1. send XACML request and response in SAML query and response
    (respectively). This doesn't extend SubjectQuery.

 2. return XACML request as part of the decision and have a flag in the
    query to ask for this. The request returned may not be the
    original request, but it must contain all attributes from the
    initiating request that were used in processing.

 3. include in the query a way to specify if the PDP is allowed to
    fetch attributes from other sources. This item was dropped.

 4. associate a datatype with the issuer (this was moved to the general
    requirements section). This led to a side discussion about the
    issuer and signer in SAML, and how they can be different people
    (which is apparently not uncommon).

 5 & 6. include a policy in a response's condition, so you can say "deny
    unless the condition is true" and then include that policy in a
    query. These items were dropped. It's really about delegation, which
    we're not covering yet, and the other uses cases have ben covered.

    There was a follow-on discussion about Status Codes, where they
    should be included, and whether they should be optional. Hal will
    write a proposal for a 2.0 work item on this.

 General: better cooresponence between SAML and XACML attribute formats,
          and a new SAML PolicyQuery. On the first topic Rebekah Lepro
          will submit experiences and Anne will post to the SSTC list
          about the rationale for the XACML format; some SAML folks like
          the XACML format more. On the second topic, there is genral
          agreement to do it, but it's unclear where the work should be
          carried out (Hal tried to push this point at the F2F, with
          little success, but he has a SAML work item for this...the
          XACML group may write up a proposal).

 4 Remaining Open Issues: status codes, which namespaces should be used
    for which tasks, attribute naming formats, and whether Obligations
    should be in the XACML response or in SAML (on this last point Hal
    thinks he inadvertently caused confusion, so he will clarify to the
    SAML folks that Obligations should be in the XACML response, and
    Michiharu agrees this is the right relationship)

Final Discussions:

    Hal suggested that there are different kinds of delegation: admin
(eg, who can write a policy) which we're already covering, and limited
(rights delegated from one user to another) or impersonating (one person
takes on the identity of another) delegation which policies can already
handle. He suggested that there may be issues supporting delegation in
SAML, but that at the XACML level we may already be addressing all the
key issues. Anne has been writing something on this topic which she will
send around.
    We were reminded that all proposals must be written by the F2F, so
if you own a 2.0 item, get your writeups posted.  Also, Frank reminded
us that there's now an OGSA Authz group in the GGF, and anyone
interested should subscribe to the list. Finally, Hal said that the
focus group meetings would be used for complex 2.0 items, and that the
next regular meeting is the last before the F2F, so an agenda should be
drafted soon.


seth


[1] After the meeting we learned that the requirement for approval has
been changed to 15%. Also, the attestation rules have not changed.