Minutes 1 February XACML TC Meeting

[Bill Parducci <bill.parducci@simulalabs.com>]

I  Roll Call & Minutes

     Attendees
      Hal Lockhart (Co-chair)
      Bill Parducci (Co-chair, minutes)
      Anthony Nadalin
      Argyn Kuketayev
      Abbie Barbir
      Rich Levinson
      Prateek Mishra
      Erik Rissanen
      Anne Anderson
      Seth Proctor
      David Staggs

      Quorum was achieved (76% per Kavi)

     VOTE: Unanimous APPROVAL of minutes from 18 January 2007

II  Administrivia

     F2F locations
     BEA offers to host in Burlington
     Tony is still checking availability in Austin

     Inter-op
     Oracle and Securent have voiced interest in participating in the
     Interop in June along with IBM. Hal believes BEA will also
     participate. Hal will will send out an email to interested  
parties to
     begin the logistics process. The process requires an Inter-op
     Coordinator. A request for a volunteer has been made.

     General
     Rich noticed an anomaly between the XACML 1.1 and XACML 2.0
     specifications.  There is a resource:xpath AttributeId
     referenced in the Section 4.2.4 Rules examples in XACML 2.0,
     but this AttributeId is defined only in XACML 1.0. It is
     generally agreed that this is errata and should be added back
     into XACML 2.0.  The definition from XACML 1.0 is: "This
     identifier indicates that the resource is specified by an
     XPath expression.
     urn:oasis:names:tc:xacml:1.0:resource:xpath"

     Rich also asked about the state of the Obligations work referenced
     earlier in the v3.0 process. Bill explained that he and Erik have
     been working to come up with a common understanding and intend to
     post the results of this discussion to the wiki.

     Anne offered to post an overview of how
     Obligations/obligations are handled currently in the XACML
     Profile for Web Services.

III Issues

     # 55 WS-XACML: Address policy references in a Requirements
       element containing a PolicySet

     ACTION ITEM: Anne to explain the problem and present a draft
     solution to the list based on Option 3: Add an element for
     including referenced policies and require that all referenced
     policies must be included in this element.  Seth pointed out
     that policies included need to be tagged with the identifier
     by which they are referenced.

     # 56 WS-XACML: Add optional "Preference" XML attribute to
       Apply element

     Where more than one Attribute value can satisfy an Apply
     element, Anne proposed that an optional element be added to
     the Apply element to indicate whether "greater" values
     (larger integer, later time, end of ordered set) or "lesser"
     (earlier time, beginning of ordered set) values are
     preferred.

     APPROVED

     # 57 WS-XACML: Restrictions on XPath expression to support matching
       Attribute references

     Anne proposed a restricted form of XPath expression that uses
     absolute paths and didn't contain any query operators to
     allow for correct intersections of AttributeSelectors.  Anne
     has researched the problem and is looking for additional
     insight into the restrictiveness of this approach.  Hal
     pointed out that we are not the only ones with this problem

     ACTION: TC members are encouraged to investigate.  Anne will
     contact the authors of a paper on the intersection of XPath
     expressions to see if they have insights.

     # 59 WS-XACML: Allow restricted regular expression functions
       in XACMLAssertion

     The group felt supporting regular expressions was useful, and
     so use of intersectable regular expressions should be
     supported.

     ACTION: Anne and Bill to dig up the specification of basic
     (intersectable) regex expressions and Anne to draft specific
     proposal for the list.

     #60 WS-XACML: Remove "XACML Authorization Token" and
     "Conveying XACML Attributes in a SOAP Message"?

     Anne proposed moving these two sections of the WS-XACML
     profile to the SAML Profile, leaving only the XACMLAssertion
     sections.

     APPROVED: move these two sections to the SAML Profile.

     #52-53 Indirect delegates issues

     Erik proposed dropping indirect delegates from the
     specification, pointing out that in a strict sense an
     administrative policy can't prevent someone else from doing a
     restricted action on behalf of an undesired indirect
     delegate.

     APPROVED: drop indirect delegates from the standard.

     # 63 Generalizaton of multiple resources

     STATUS: everyone look at this issue and discuss on list.

     # 64 Treatment of administrative Deny

     Proposal is that if an admin request evaluates to Deny on a
     policy, the policy will be ignored.

     STATUS: everyone look at and discuss on the list.

     # NEW: Deny-Overrides:
     http://lists.oasis-open.org/archives/xacml/200701/msg00020.html

     STATUS: Erik to submit statement of a proposed new combining
     algorithm.  Discuss on list.

meeting adjourned.