[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Minutes: 25-Oct-07 XACML TC Meeting
Added Roll > -----Original Message----- > From: Rich Levinson [mailto:rich.levinson@oracle.com] > Sent: Thursday, October 25, 2007 11:14 PM > To: xacml > Subject: [xacml] Minutes: 25-Oct-07 XACML TC Meeting > > 1 Roll Call: > Voting Members Erik Rissanen Axiomatics AB Hal Lockhart BEA Systems, Inc. Ron Williams IBM Group Member Rich Levinson Oracle Corporation Anil Saldhana Red Hat Seth Proctor Sun Microsystems David Staggs Veterans Health Administration Member Anil Tappetla Securent Inc. > > 2 Administrivia: > > Minutes from 11-Oct-07 approved: > > http://lists.oasis-open.org/archives/xacml/200710/msg00025.html > > Review plans for RSA Interop > > Hal: Tentative confirmations from Oracle, IBM, Axiomatics, > Securent and Sun. Dee talked to Tony in Barcelona. Need to > get draft together quickly. > > Dave Staggs: got email from Tony re: interop. Possible > health care demo. Involves privacy info. > > Hal: Tony- more extensive policy exchange > > Hal: Dee - wants draft in week or so. > > Hal: BEA will not commit unless minimal changes from existing > Interop. > > Some discussion on multiple TC scenarios, ex ws-fed. > > 3 Issues: > Issue 87: > Rich: Need xpath feedback from others - i.e. someone who > "knows" what the xpath constructs are "supposed to be" > > Rich to provide specific proposal for changes. Options of > required optional/ resource:xpath in attr designator. (will > be based on deduction of intent of xpath in spec unless > specific feedback provided) > > Hal: (on related topic raised in addition to the core of > issue 87) final step to compute decision, PDP rely on nothing > except > what's in request context - Niko mentions date/time, whatif > consensus, send in req - will this be allowed next week, > pdp will compute it. When CH finishes, PDP only considers > what's in context. See: first of msg pair on Sat - contradiction > PDP must verify attr as accurate - other than the current > time. Make sure it's consistent everywhere. Niko's msg in > xacml-dev list (comments above are re: last para in the > following msg): > > > http://lists.oasis-open.org/archives/xacml-dev/200710/msg00007.html > > (maybe Hal could elaborate a bit more - I am uncertain how > "current-time" could be "next week". I am also uncertain looking > at the above message exactly what is at issue, but I would like > to know > more about the "what if" capability - i.e. how would one set it > up?) > > Issue: "An idea regarding decision explanation" > > Erik: Annotating attrs: - explanation of what can be done > about it - many ways to respond. Policies that didn't > match. Differentiate between attrs that users can do > something about. > > http://lists.oasis-open.org/archives/xacml/200710/msg00029.html > > ex. in above link: flight - reach a point where you PDP tests > whether > permission (as opposed to checking if Target is applicable), > return all > the info - in general much to much and user will not know what > to do > > Erik/Hal: Similar to obligations. > > Rich: the 3 reasons (why not similar to MissingAttributeDetail) > are still > subject to discussion: > http://lists.oasis-open.org/archives/xacml/200710/msg00032.html > Basically, MustBePresent (lines 2614-2617 and related) can be used > to force Indeterminate to be returned if attr missing. Putting > aside the > possible options implicit in lines 3321-3323, lines 3323-3326 > indicate > that the attr info MAY be listed in the Response (presumably > Policy > determined and Policy writer would designate conditions, let's > assume > trying to accomplish this get selected info back to user) and > section > 7.15.3 gives guidelines on how to do this. My point is that with > these > controls available, one should be able to come up with a technique > of the Policy Designer knowing which attr to flag to the user and > use this technique to do it. A further control would be in > addition, > to use an Obligation to tell the PEP that if there is > MissingAttrDetail, > then do what is necessary to inform the user and then possibly > resubmit > the request. (This request re-submission appears to be an intended > capability as per lines 3601-3603 of sec 7.15.3) I think this > addresses > the 1st 2 reasons in the above email. The 3rd reason, I agree, > is not > handled by this mechanism, because attr is not "missing" in that > case. > > Hal: too many Obligation reqts implicit here (in email, not > necessarily > the above case). Gets complicated. > Bottom line: need admin to tag specific things as useful to > the users. > Use Target to match on Resource, Action. > Multiple missing attrs - Hal - if you can't it's a bug. > > Rich: May tie together w ws-xacml. > > Erik - another reason is if you have an extra attr could > be the problem. Might need a PresentAttrDetail > > Hal: take 80/20 approach, we can't solve all problems, but there > may > some value of some of these ideas. > > issue 62 Update to policy distribution protocol. > http://lists.oasis-open.org/archives/xacml/200710/msg00034.html > > Hal: Naked policies or policies wrapped in Assertion - thinking > both are required. > > Rich: policies - issuer (XACML 3.0) provides natural structuring - > Hal: provides several other ways, but does not want to cast any > particular one as automatic. > > Meeting adjourned approx 11:05 AM > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in > OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]