OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes of Focus Group 15 July 2004

[Attendees: please correct me if I got these wrong or left out
something important to keep for posterity :-) -aha]

Attendees:
  Frank
  Polar
  Simon
  Hal
  Tim
  Anne

Agenda: Delegation: are changes needed to XACML 2.0 schemas to
  support delegation?

1. Where does Issuer/Authority go?

Attendees discussed whether this information should go in
CombinerParameters or as a child element of Policy/PolicySet -
Frank thinks it MIGHT be better to have it as a child of
Policy/PolicySet; Polar thinks it belongs in CombinerParameters.
Attendees feel delegation is important for XACML 2.0, and feel
PROBABLY delegation COULD be accommodated by having Issuer in
CombinerParameters.  We have no use case for this information
other than for delegation.

The attendees recommend holding a vote at the 22 July 2004 TC
meeting on whether to add a new child element to Policy and
PolicySet for Issuer.

2. Should policy delegating authority go into Request?

Attendees agreed this information should not go into the
Request.  The PDP may have a separate interface for accepting new
policies.  The policy delegating authority may be submitted to a
PDP asynchronously with Requests that would make use of that
policy.

A policy that delegates authority could be submitted in a package
(for example, a SAML envelope) along with a Request.  This could
be defined in another profile, and does not affect our <Request>
context schema.

3. Policy metadata

The policy's issuer is metadata, just as the validity period for
the policy is.  When the policy is accepted as valid by a PDP and
incorporated into its <PolicySet> tree, the metadata can be
inserted into combining parameters.

The issue of "PolicyVersion" came up.  This logically should also
be metadata - it is not used in evaluating the PDP.
"Description" is part of the policy, but also has no evaluative
purpose; perhaps it also belongs in "meta-data".

4. Other discussion

Polar and Frank discussed other details of how delegation might
work.  Can "issuer" in a policy be changed as part of evaluation?
What transformations of a policy are valid?  How is policy
integrity maintained?

5. Polar and Hal will not be at 22 July 2004 TC meeting.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]