Minutes of XACML TC Meeting 1 March 2007

[Bill Parducci <bill.parducci@simulalabs.com>]

1. Roll Call & Minutes

    Attendees
     Hal Lockhart (Co-chair)
     Bill Parducci (Co-chair, minutes)
     Anthony Nadalin
     Argyn Kuketayev
     Abbie Barbir
     Rich Levinson
     Prateek Mishra
     Sekhar Sarukkai
     Erik Rissanen
     Anne Anderson
     David Staggs
     Dee Schur (Oasis Member Support)

     Quorum was achieved (69% per Kavi)

2. Administrivia

    F2F
    draft agenda by early next week BILL + HAL
    special meal requests?

    Hal and Bill will work on agenda for F2F.  There MAY be cell
    phone access to the meeting site via our existing bridge.  Hal
    will confirm availability of existing bridge or arrange another
    with Abbie.

    Oasis Webinars
    Dee Schur notified that TC that Oasis would like to put a series of
    webinars for each of the security TCs works. These will be made
    available on the Oasis website. Oasis has made a call for volunteers
    to the TC who would be interested in creating content based upon
    XACML.

    InterOp
    The InterOp is proceeding but there are still a number of open
    issues. A list has been setup for discussion by the InterOp members.
    If others wish to participate please notify the Chairs as soon as
    possible.

    Latest Draft
    Erik briefly described the changes in the latest Draft posted to the
    list.

3. Issues
   #-- Behavior of combining algorithms variant (Erik)
       Discussion on list stands for itself.  Question about whether to
       add optional.

  #63 Generalization of multiple resources

      Spec says all Attributes for Multiple subjects with same
      Subject Category are merged.  Hal considers this a bug,
      especially for codebase and intermediaries.  Erik's
      MultipleCondition from the previous Admin Policy draft is one
      possible way to address this.

      ACTION ITEM: Hal will create a new issue to address this.

  #40 <ResourceContent> element
      Question is whether 1) AttributeSelector should have an xml
      attribute to select ResourceContent documents using a different
      base than the Request Context and 2) whether there could be more
      than one content element per category.  Resolution of the
      attribute would be implementation-dependent.  Daniel proposed the
      XML attribute; question about whether there is an actual use
      case.

      General consensus on the call is to drop the ID reference and to
      restrain the schema to allow only one <Content> element per
      <Attributes> element. (No change from 2.0)

  #32 Exception handling
      What happens if an untrusted policy produces an Indeterminate?
      Should it influence the decision or not?  Don't know whether
      trusted or not until it is reduced.

      No solution yet.  Erik will continue working on it.

   #-- Target Issues (ConjunctiveMatch and compatibility)
       Related to the matching on multiple subject issue.  Currently
       can't index on multiple subjects.

       Erik is not clear on how to move forward on this.  His
       inclination is to allow multiple categories in the disjunctive
       match; already allowed for multiple subject categories.

       Erik and Hal will champion this.

   #-- Access Permitted feature
       "Access Permitted" previously referred to Subject, but now that
       we have extensible Attributes, it needs at least to be reworded.
       Possibly NP complete if fully generalized.

       Hal will respond to Erik's e-mail.

   #-- Prateek's issues

       A. PDP to PEP communication
       Should there be some standardization around interface between
       tightly coupled PDP and PEP.  We have the SAML protocol where not
       tightly coupled.

       B. Define meta-data that would allow definition of the world of
       information that is subject to policies.

       PAP, PEP, and Context Handler have to be coordinated.  The
       WS-XACML "Vocabulary" elements in Requirements and Capabilities
       are one approach to this; they allow specification of URIs that
       are associated with documents, products, etc. that require a
       particular set of Attributes to be retrievable.

       C. Standard interfaces so a PDP can be specified in an RFP

       Hal made comments on the List to some of these issues recently:

        Policy Inputs
        http://lists.oasis-open.org/archives/xacml/200702/msg00059.html

        Closely Coupled PEP/PDP
        http://lists.oasis-open.org/archives/xacml/200702/msg00060.html

        Policy Provisioning
        http://lists.oasis-open.org/archives/xacml/200702/msg00061.html

        Other miscellaneous concerns
        http://lists.oasis-open.org/archives/xacml/200702/msg00062.html

   #66 Missing attributes may be underspecified
       Rich thinks there is confusion about what is interoperable.
       Rich's interoperability document has the Context Handler on the
       PEP side.  Needs clarification.

Next meeting is F2F.  Next telephone meeting will be March 29.

meeting adjourned.