OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] DRAFT minutes from F2F


Bill, you did a great job.  You even managed to contribute while
taking minutes!

Anne

Comments below:

On 24 October, bill parducci writes: [xacml] DRAFT minutes from F2F
 > F2F Meeting – Oct. 20, 2003 – BEA, San Jose
 > 
 > Attendance:
 > Frank Siebenlist
 > Anne Anderson
 > Tim Moses
 > Polar Humenn
 > Daniel Engovatov   (observer)
 > Bill Parducci
 > Michiharu Kudo
 > Michael McIntosh   (prospective member)
 > Anthony Nadalin
 > MaryAnn Hondo      (observer)
 > Jacques Durand     (prospective member)
 > Hal Lockhart
 > 
 > Reviewed Work Items:
 > (minutes refer to discussion topics by Work Item number)
 > 
 > 2. Seth now Champion for the modified version of this WI. A new item 

Clarification:

This work item was not actually changed.  There was some
clarification: it refers to information needed to configure a
PDP, included either in a Request, in a Policy, or possibly in a
3rd document type.

 > (#41) has been created to cover generalizing classification of entities 
 > and declaration (third schema to represent?)  Daniel will address this 

Clarify:

Daniel will address #41, not #2.

 > by Nov. 3.
 > 
 > 7. Proposes that condition references to be used to allow for reuse of 
 > conditions. Limited to conditions within the same policy. Proposal is 

Provide the rationale:
"reuse of conditions in Rules that may have different Targets."

 > fairly complete and is ready for review and decision.
 > 
 > 8. Proposes that rule references to be used to allow for reuse of rules. 
 > May span across policies. This implies that the rule becomes the lowest 
 > administrative unit. This is dependent upon the decision of #19. 
 > Decision of the group is that #19 is not valid since the use case may be 
 > resolved having policies containing single rules.

Clarify:
Not so much that #19 is "not valid" as that it is "not needed".
I think this item is now closed.
#8 is also not needed, for same reason, and is now closed.
 > 
 > 9. Proposes extended syntax to address hierarchical Subject, Actions and 
 > Resources.  Concern is that it is Resource specific and that it may be 
 > able difficult to address the intricacies of any given Resource domain. 
 > It was decided that hierarchical polices and hierarchical requests (new 
 > WI, #42) be split apart for discussion and consideration.
 > 
 > 10. Proposes extended syntax for Combining Algorithms to allow for the 
 > influence of rule combination evaluation by parameters of the rules 
 > themselves. There is general agreement on the value of this approach, 
 > however it is not thought to be widely required. Therefore the feeling 
 > is that this should be handled via an extension point added to the 
 > schema. This WI is therefore closed and the topic taken up in #11.
 > 
 > 12. Proposes environment attributes for Target. VOTE: approve as 
 > proposed – 8 FOR, 1 Abstain (Daniel, pending discussion of function 
 > extensions). Closed.
 > 
 > 16. Determined that this doesn’t introduce anything new to 
 > specification. Closed.
 > 
 > 17. Determined that this doesn’t introduce anything new to 
 > specification. Closed.
 > 
 > 19. Closed in junction with discussion of #8.
 > 
 > 26. Satisfied by existing specification using Policy Combination 
 > Algorithm. Closed.

Correction:
This item is not satisfied using any sort of policy combination
algorithm.  It is closed because there is not a strong use case
for the XACML 2.0 time frame and it would be difficult to
implement due to semantic complexities.

 > 29. Proposes delegation of policy combination with the constraint that 

Clarification:
delegation of policy evaluation and combination

 > authorization assertions be passed with requests from remote (trusted) 
 > systems. The scope to the problem is not fully understood by the group 
 > and the proposal was made to pursue administrative policy solutions 
 > first, then return to this issue. Also includes #38 (placing conditions 
 > on members of the delegation chain for operating on policies.)
 > 
 > 30. Proposed that policy may be passed with an access request. There is 
 > concern that this will create issues with combinations of other 
 > applicable policies. It has been suggested that there the use case may 
 > be addressed by making remote PAP accessible to local PDP. This 
 > mechanism is related to #29 & #38 and will be discussed in the context 
 > of these issues.
 > 
 > 35. Proposes that there is policy specifically developed to cover the 
 > return of missing attributes in decisions with Not Applicable results. 
 > It has been suggested that this is covered by the current specification. 
 > Documentation that details how this may be treated in XACML needs to be 
 > generated.
 >
 > 36. Proposes that PDP have formally defined access control mechanism to 
 > downstream PDPs. This is not consistent with what was generally 
 > understood by the group from the original WI. There is concern that the 
 > scope of this problem is outside of what is practically addressable in 
 > XACML. Further clarification is necessary. This will likely tie into the 
 > discussion of #29, #30 & #38.
 > 
 > 37. Proposes a shorthand model for passing multiple elements. Deferred 
 > until tomorrow (rest of group arrives).
 > 
 > 38. Covered in #30. Deferred pending outcome of #30.
 > 
 > 40. Proposes optimized Policy query in SAML. Two non-conflicting 
 > proposals are on the table. This will be discussed further on the e-mail 
 > list.

Correction:
Nothing is "optimized".  Proposed a general Policy Assertion and
Policy Query in SAML.  Two non-conflicting proposals: one creates
an XACMLPolicyStatement and XACMLPolicyQuery, while other one
creates a SAML PolicyStatement and PolicyQuery, from which the
XACML-specific forms would be derived.

 > +++
 > 
 > F2F Meeting – Oct. 21, 2003 – BEA, San Jose
 > 
 > Attendance:
 > Frank Siebenlist
 > Anne Anderson
 > Tim Moses
 > Polar Humenn
 > Daniel Engovatov
 > Simon Godik
 > Bill Parducci
 > Michiharu Kudo
 > Michael McIntosh
 > Rebekah Lepro
 > Hal Lockhart
 > Steve Anderson
 > 
 > Reviewed the discussions of Monday’s meeting.
 > 
 > Anne provided a historical review of derivation of single attribute 
 > value model in current spec.
 > 
 > (minutes refer to discussion topics by Work Item number)
 > 
 > 37. Based on the general belief that this proposal will not affect XPath 
 > attribute queries, the consensus is that this item be approved pending 
 > further clarification (cardinality & descriptive schema changes). Rebeka 
 > will provide a first pass at the changes for the Editor.
 > 
 > Hierarchical authorization issues:
 > 
 > 9. Resources – If you want to support request that specify the resource 
 > as a hierarchy (specifically, XML), there must be instance at request. 
 > Wildcards are allowed in hierarchical policies.

Clarification:
"policies about hierarchical entities" rather than "hierarchical policies"
 > 
 > 42. Requests – hierarchical resource requests MUST use the “scope” 
 > attribute when intentionally requesting resources with subordinate data 
 > members (vs. using /* in an XPath expression). Clarification is required 
 > to define how responses for situations where hierarchical resources 
 > without descendants are queried for descendant access.
 > 
 > Policy Administration:
 > 
 > A number of proposals were discussed, however no clear solution arose as 
 > the majority of the session involved the expression of the requirements.
 > 
 > A higher order requirement proposed by Frank is the ability to evaluate 
 > policies taking into consideration “admin” of the policy to allow for 
 > policy chain decisions.
 > 
 > +++
 > 
 > F2F Meeting – Oct. 22, 2003 – BEA, San Jose
 > 
 > Attendance:
 > Frank Siebenlist
 > Anne Anderson
 > Tim Moses
 > Polar Humenn
 > Simon Godik
 > Bill Parducci
 > Michael McIntosh
 > Rebekah Lepro
 > Hal Lockhart
 > Steve Anderson
 > Anthony Nadalin
 > MaryAnn Hondo
 > Jacques Durand
 > 
 > Reviewed the discussions of Tuesday’s meeting.
 > 
 > Anne reviewed her Administrative Policy proposal. Frank’s and Polar will 
 > post their respective AP proposals to the mailing list.
 > 
 > Anne & Tim proposed that the XACML TC continue its work on the current 
 > WSPL proposal, focusing on the authorization policy constraints of Web 
 > Services. The premise is that this work adopt/integrate the efforts of 
 > proposed policy advertising committees as (as yet undefined in Oasis & 
 > W3C). Until such time the group would provide examples of how this 
 > mechanism would work; the intent of the group is that this non-normative 
 > output would be replaced/merged with forthcoming standards in this area.
 > 
 > Scope of proposed work:
 > 
 > 1. Subset of XACML suitable for describing conditions on access control 
 > related attributes that are: (1). required for accessing a service; (2). 
 > available for a presentation service accessor. NORMATIVE.
 > 
 > 2. Combining subset instances from above to determine a mutually 
 > acceptable set of access control related attributes. NORMATIVE.
 > 
 > 3. Examples of how such instances are associated with WSDL at message, 
 > operation port type, etc. NON-NORMATIVE.
 > 
 > The group decided that this scope is acceptable and that work will 
 > continue as defined above.
 > 
 > Tim reviewed an approach for LDAP storage of policies to address 
 > many-to-many PDP/PAP relationships.  The topic was also raised as to 
 > whether remote policy requests should be considered.
 > 
 > 
 > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]