Minutes of 26 February XACML Focus Group

[Anne Anderson <Anne.Anderson@Sun.COM>]

[Note: we reviewed all the 2.0 work items that have not been
explicitly dropped, and their status in indicated below.  We did
not discuss all the items that have been targetted for
specifications other than XACML 2.0, such as various profiles.]

Minutes from the 26 February 2004 XACML Focus Group

Present:
  Anne Anderson,
  Tim Moses,
  Mike McIntosh

Agenda: Continuing discussing XACML 2.0 work items
Action item: Tim will publish a draft 6 with all the stable work
   items agreed to so far.

WI#7. ConditionReference

   Need final consensus proposal from the proponents.

WI#9. Policies referring to hierarchical resources

   Open issue on handling things like "read" in a file system
   requiring "execute" permission on all elements higher in the
   hierarchy.  Anne will look at WS-ResourceFramework.

WI#10. Parameters for Combining Algorithms

   Seems to be close to consensus here.  Tim will see if enough
   information to include in next draft.

WI#11. XACML Extension Points

   Feb. 12 meeting suggested not having any general extension
   points, but accepting specific extensions where justified.

WI#12. Environment Element in Target

   Already in 2.0 draft.

WI#13. Optional Target Elements

   Already in 2.0 draft.

WI#18. Obligations in Rules

    http://lists.oasis-open.org/archives/xacml/200305/msg00011.html
    http://lists.oasis-open.org/archives/xacml/200401/msg00062.html [Polar issues]
    http://lists.oasis-open.org/archives/xacml/200402/msg00013.html [Michiharu use case]
   Waiting for Polar's alternative.

WI#22. time-in-range function

   Already in 2.0 draft.

WI#23. Use XQuery comparison functions for date, time, dateTime

   Need update from Seth on whether progress is being made.  How
   long are we prepared to delay 2.0 for this?

WI#27. Version number element or attribute in an XACML policy.

   Already in 2.0 draft.

WI#28. Define "current time/date/dateTime" during policy evaluation

   Already in 2.0 draft.

WI#29. Policy Authority Delegation

   For F2F.

WI#31. Attribute Issuer as Subject

   For F2F.

WI#32. Standardize naming to specify rules for requestor's authz policy

   Waiting for Frank to discuss his use case verbally.

WI#36. Check for requester authorized to ask for authz decision

   For F2F.

WI#37. Multiple <AttributeValue> elements for single <Attribute> in Request

  We looked these over, and agreed Rebekah has found
  inconsistencies.  Since they are editorial, Tim will correct
  them in the next draft, and Rebekah can review the fixes.

  1)  ResourceAttributeDesignator (lines 2318 - 2327),
  ActionAttributeDesignator( 2343 - 2352) and EnvironmentAttributeDesignator
  (lines 2369 - 2378) all refer to "a bag containing all the (resource,
  action, environment) attribute values that are matched by the named
  (resource, action, environment) attribute.

  a)  I presume this text corresponds to the description of the returned bag
  for an AttributeSelector as described in line 2448 - 2454?

Tim will look into this.  The results for an AttributeSelector
and for an AttributeDesignator should be the same type.

  b)  In the section for SubjectAttributeDesignator (lines 2268 - 2310), there
  is no mention of a bag returned containing the values even for a categorized
  subject.  Does this imply a different processing requirement for
  SubjectAttributeDesignators?

No.  Text should be made consistent.  Tim will do.

  2)  Can an element be defined directly with the type AttributeDesignatorType
  or was the intention that this complex type definition serve only as the
  root of a type hierarchy?

Intention was only the root.  AttributeDesignatorType maybe
should be made abstract.  Tim will look into this.

  3)  Lines 2445 - 2454 define processing rules that relate to the
  MustBePresent attribute of an AttributeSelector, including the required
  status code.  No such constraint on the required status code is listed in
  lines 2264 - 2266 for AttributeDesignators.  Should there mandatory status
  codes specified?

Yes.  The results obtained form an AttributeSelector and from
AttributeDesignators should be consistent.  We should copy the
text from AttributeSelector into the text rfor AttributeDesignator.

  4)  Line 2707 indicates that the data type of the AttributeValue MAY be
  specified by using the DataType attribute of the parent Attribute element.
  However, line 2683 indicates that DataType xml attribute of an Attribute
  element is mandatory.  Is this a contradiction?

Line 2707 should be changed to say MUST, not may.

  5)  AttributeValueType.  Lines 2456 - 2469 indicate that a DataType URI is a
  required xml attribute required for the complex type in the xacml namespace.
  Lines 2696 - 2708 indicate do not define such a required xml attribute for
  the AttributeValueType in the xacml-context namespace.  Lines 3448 - 2469 of
  the Appendix state that an XACML <AttributeValue> element MAY contain an
  instance of a structured XML data type. Lines 3524 - 3525 says "The
  <AttributeValue> element SHALL represent an explict value of a primitive
  type.  The example shows the use of an Attribute value element as the child
  of the <Apply> element.   Lines 3534 - 3535 states "The
  <AttributeDesignator> and <AttributeSelector> elements SHALL evaluate to a
  bag of a specific primitive type. Do these different characterizations
  contradict?  

Note that we have two different definitions for AttributeValue;
the one in the Request Context does not have its own DataType -
it uses the the Attribute DataType element.  The AttributeValue
in a Policy does have its own DataType xml attribute.

Lines 2456 - 2469 apply to AttributeValue in a Policy.

Lines 3534 - 3535 are in the appendix describing standard
functions and datatypes, so that is why A.7 says the type must be
primitive type.

  6)  Is it reasonable to state that a named attribute appears in the context
  of Policy syntax but not Context syntax?

Tim will resolve.

  7)  Is the string equality requirement listed on line 2999 the string
  equality function defined at line 3643?

Tim will resolve.

WI#38. Policies for the Administration of XACML Policies

  For the F2F.

WI#39. Make Status in the XACML Response optional

   Already in 2.0 draft.

WI#40. Define a SAML PolicyQuery and PolicyStatement

   Anne has published a working draft for the SAML Profile.

WI#42. Requests asking for access to multiple elements in a hierarchical resource

   This is actually different from #9.  #9 needs to say how, in a
   policy, a condition can be made to apply to an entire subtree
   in a hierarchy, rather than having to spell out

WI#43. Examine interactions between approved work items

   Open.

WI#45. Fix AttributeAssignment example in Section 4.2.4.3 (Rule 3)

   Already in 2.0 draft.

WI#46. Status detail for missing attributes

   Waiting for Seth to produce schema for specifying a missing
   attribute.

WI#47. New SAML Authorization Decision Query/Response using XACML

   Being dealt with in the SAML Profile document.

WI#48. PAP Interface to a PDP/PRP

   For XACML Interface Definitions Specification.  Tim will get
   to this soon.

WI#50. Fix obligations erratum: fulfilled by PDP

   Already in 2.0 draft.  CLOSED.

WI#51. Clarify obligations: "fulfill" vs. "understand"

   Already in 2.0 draft.

WI#52. New section explaining not backwards compatible and listing changes

   Needs to wait for all changes to be made.

WI#53. Drop <Function> element

   Will this change with the new reference proposals?  Tim has
   not yet clarified the explanation in the current draft.

WI#54. Is resource-id required?

   Needs to be incorporated into the next draft.  This has been
   resolved by a vote on 8 Jan to make resource-id optional.

WI#55. Converge SAML and XACML Attribute schema definitions

   Some of this is going into the XACML Profile; rest depends on
   continued conversation with SAML people.

WI#56. Should Request Context be optional (non-normative)

   Hal's detailed text was accepted 8 Jan 2004.  This is in Tim's
   draft of Draft 6.

WI#58. Standard hierarchy schemas

   Anne still working on this.  Can be in a separate profile, so
   2.0 need not wait for this.

WI#59. Define standard "role" subject attribute

   12 Feb 2004 FG recommended including in next draft.

   26 Feb 2004 FG recommends putting this into the next version
   of the RBAC profile.

WI#60. Define standard "purpose" attributes

   Tim has published a draft Privacy Profile as a contribution.
   The TC needs to agree to make this a Working Draft.

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692