[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes of Focus Group 15 July 2004
[Attendees: please correct me if I got these wrong or left out something important to keep for posterity :-) -aha] Attendees: Frank Polar Simon Hal Tim Anne Agenda: Delegation: are changes needed to XACML 2.0 schemas to support delegation? 1. Where does Issuer/Authority go? Attendees discussed whether this information should go in CombinerParameters or as a child element of Policy/PolicySet - Frank thinks it MIGHT be better to have it as a child of Policy/PolicySet; Polar thinks it belongs in CombinerParameters. Attendees feel delegation is important for XACML 2.0, and feel PROBABLY delegation COULD be accommodated by having Issuer in CombinerParameters. We have no use case for this information other than for delegation. The attendees recommend holding a vote at the 22 July 2004 TC meeting on whether to add a new child element to Policy and PolicySet for Issuer. 2. Should policy delegating authority go into Request? Attendees agreed this information should not go into the Request. The PDP may have a separate interface for accepting new policies. The policy delegating authority may be submitted to a PDP asynchronously with Requests that would make use of that policy. A policy that delegates authority could be submitted in a package (for example, a SAML envelope) along with a Request. This could be defined in another profile, and does not affect our <Request> context schema. 3. Policy metadata The policy's issuer is metadata, just as the validity period for the policy is. When the policy is accepted as valid by a PDP and incorporated into its <PolicySet> tree, the metadata can be inserted into combining parameters. The issue of "PolicyVersion" came up. This logically should also be metadata - it is not used in evaluating the PDP. "Description" is part of the policy, but also has no evaluative purpose; perhaps it also belongs in "meta-data". 4. Other discussion Polar and Frank discussed other details of how delegation might work. Can "issuer" in a policy be changed as part of evaluation? What transformations of a policy are valid? How is policy integrity maintained? 5. Polar and Hal will not be at 22 July 2004 TC meeting. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]