[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] DRAFT minutes from F2F
Bill, you did a great job. You even managed to contribute while taking minutes! Anne Comments below: On 24 October, bill parducci writes: [xacml] DRAFT minutes from F2F > F2F Meeting – Oct. 20, 2003 – BEA, San Jose > > Attendance: > Frank Siebenlist > Anne Anderson > Tim Moses > Polar Humenn > Daniel Engovatov (observer) > Bill Parducci > Michiharu Kudo > Michael McIntosh (prospective member) > Anthony Nadalin > MaryAnn Hondo (observer) > Jacques Durand (prospective member) > Hal Lockhart > > Reviewed Work Items: > (minutes refer to discussion topics by Work Item number) > > 2. Seth now Champion for the modified version of this WI. A new item Clarification: This work item was not actually changed. There was some clarification: it refers to information needed to configure a PDP, included either in a Request, in a Policy, or possibly in a 3rd document type. > (#41) has been created to cover generalizing classification of entities > and declaration (third schema to represent?) Daniel will address this Clarify: Daniel will address #41, not #2. > by Nov. 3. > > 7. Proposes that condition references to be used to allow for reuse of > conditions. Limited to conditions within the same policy. Proposal is Provide the rationale: "reuse of conditions in Rules that may have different Targets." > fairly complete and is ready for review and decision. > > 8. Proposes that rule references to be used to allow for reuse of rules. > May span across policies. This implies that the rule becomes the lowest > administrative unit. This is dependent upon the decision of #19. > Decision of the group is that #19 is not valid since the use case may be > resolved having policies containing single rules. Clarify: Not so much that #19 is "not valid" as that it is "not needed". I think this item is now closed. #8 is also not needed, for same reason, and is now closed. > > 9. Proposes extended syntax to address hierarchical Subject, Actions and > Resources. Concern is that it is Resource specific and that it may be > able difficult to address the intricacies of any given Resource domain. > It was decided that hierarchical polices and hierarchical requests (new > WI, #42) be split apart for discussion and consideration. > > 10. Proposes extended syntax for Combining Algorithms to allow for the > influence of rule combination evaluation by parameters of the rules > themselves. There is general agreement on the value of this approach, > however it is not thought to be widely required. Therefore the feeling > is that this should be handled via an extension point added to the > schema. This WI is therefore closed and the topic taken up in #11. > > 12. Proposes environment attributes for Target. VOTE: approve as > proposed – 8 FOR, 1 Abstain (Daniel, pending discussion of function > extensions). Closed. > > 16. Determined that this doesn’t introduce anything new to > specification. Closed. > > 17. Determined that this doesn’t introduce anything new to > specification. Closed. > > 19. Closed in junction with discussion of #8. > > 26. Satisfied by existing specification using Policy Combination > Algorithm. Closed. Correction: This item is not satisfied using any sort of policy combination algorithm. It is closed because there is not a strong use case for the XACML 2.0 time frame and it would be difficult to implement due to semantic complexities. > 29. Proposes delegation of policy combination with the constraint that Clarification: delegation of policy evaluation and combination > authorization assertions be passed with requests from remote (trusted) > systems. The scope to the problem is not fully understood by the group > and the proposal was made to pursue administrative policy solutions > first, then return to this issue. Also includes #38 (placing conditions > on members of the delegation chain for operating on policies.) > > 30. Proposed that policy may be passed with an access request. There is > concern that this will create issues with combinations of other > applicable policies. It has been suggested that there the use case may > be addressed by making remote PAP accessible to local PDP. This > mechanism is related to #29 & #38 and will be discussed in the context > of these issues. > > 35. Proposes that there is policy specifically developed to cover the > return of missing attributes in decisions with Not Applicable results. > It has been suggested that this is covered by the current specification. > Documentation that details how this may be treated in XACML needs to be > generated. > > 36. Proposes that PDP have formally defined access control mechanism to > downstream PDPs. This is not consistent with what was generally > understood by the group from the original WI. There is concern that the > scope of this problem is outside of what is practically addressable in > XACML. Further clarification is necessary. This will likely tie into the > discussion of #29, #30 & #38. > > 37. Proposes a shorthand model for passing multiple elements. Deferred > until tomorrow (rest of group arrives). > > 38. Covered in #30. Deferred pending outcome of #30. > > 40. Proposes optimized Policy query in SAML. Two non-conflicting > proposals are on the table. This will be discussed further on the e-mail > list. Correction: Nothing is "optimized". Proposed a general Policy Assertion and Policy Query in SAML. Two non-conflicting proposals: one creates an XACMLPolicyStatement and XACMLPolicyQuery, while other one creates a SAML PolicyStatement and PolicyQuery, from which the XACML-specific forms would be derived. > +++ > > F2F Meeting – Oct. 21, 2003 – BEA, San Jose > > Attendance: > Frank Siebenlist > Anne Anderson > Tim Moses > Polar Humenn > Daniel Engovatov > Simon Godik > Bill Parducci > Michiharu Kudo > Michael McIntosh > Rebekah Lepro > Hal Lockhart > Steve Anderson > > Reviewed the discussions of Monday’s meeting. > > Anne provided a historical review of derivation of single attribute > value model in current spec. > > (minutes refer to discussion topics by Work Item number) > > 37. Based on the general belief that this proposal will not affect XPath > attribute queries, the consensus is that this item be approved pending > further clarification (cardinality & descriptive schema changes). Rebeka > will provide a first pass at the changes for the Editor. > > Hierarchical authorization issues: > > 9. Resources – If you want to support request that specify the resource > as a hierarchy (specifically, XML), there must be instance at request. > Wildcards are allowed in hierarchical policies. Clarification: "policies about hierarchical entities" rather than "hierarchical policies" > > 42. Requests – hierarchical resource requests MUST use the “scope” > attribute when intentionally requesting resources with subordinate data > members (vs. using /* in an XPath expression). Clarification is required > to define how responses for situations where hierarchical resources > without descendants are queried for descendant access. > > Policy Administration: > > A number of proposals were discussed, however no clear solution arose as > the majority of the session involved the expression of the requirements. > > A higher order requirement proposed by Frank is the ability to evaluate > policies taking into consideration “admin” of the policy to allow for > policy chain decisions. > > +++ > > F2F Meeting – Oct. 22, 2003 – BEA, San Jose > > Attendance: > Frank Siebenlist > Anne Anderson > Tim Moses > Polar Humenn > Simon Godik > Bill Parducci > Michael McIntosh > Rebekah Lepro > Hal Lockhart > Steve Anderson > Anthony Nadalin > MaryAnn Hondo > Jacques Durand > > Reviewed the discussions of Tuesday’s meeting. > > Anne reviewed her Administrative Policy proposal. Frank’s and Polar will > post their respective AP proposals to the mailing list. > > Anne & Tim proposed that the XACML TC continue its work on the current > WSPL proposal, focusing on the authorization policy constraints of Web > Services. The premise is that this work adopt/integrate the efforts of > proposed policy advertising committees as (as yet undefined in Oasis & > W3C). Until such time the group would provide examples of how this > mechanism would work; the intent of the group is that this non-normative > output would be replaced/merged with forthcoming standards in this area. > > Scope of proposed work: > > 1. Subset of XACML suitable for describing conditions on access control > related attributes that are: (1). required for accessing a service; (2). > available for a presentation service accessor. NORMATIVE. > > 2. Combining subset instances from above to determine a mutually > acceptable set of access control related attributes. NORMATIVE. > > 3. Examples of how such instances are associated with WSDL at message, > operation port type, etc. NON-NORMATIVE. > > The group decided that this scope is acceptable and that work will > continue as defined above. > > Tim reviewed an approach for LDAP storage of policies to address > many-to-many PDP/PAP relationships. The topic was also raised as to > whether remote policy requests should be considered. > > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]