[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes: XACML TC Conf Call 2/28/08 - updated
Updated w Anil's comments: http://lists.oasis-open.org/archives/xacml/200803/msg00010.html Time: 10:00 am EDT Tel: 512-225-3050 Access Code: 65998 Proposed Agenda: 10:00 - 10:10 Roll Call & Minutes Minutes 14 February 2008 http://lists.oasis-open.org/archives/xacml/200802/msg00003.html minutes approved Status on interOp, promotion Most of the activity of late has been directed at the interOp http://lists.oasis-open.org/archives/xacml/200802/msg00013.html Adminisitriva Site, References updated to reflect new XACML implementation http://lists.oasis-open.org/archives/xacml/200802/msg00004.html http://lists.oasis-open.org/archives/xacml/200802/msg00010.html Call for Proposals - eID and Citizen-centric Administration http://lists.oasis-open.org/archives/xacml/200802/msg00005.html Last Call for IDtrust 2008 http://lists.oasis-open.org/archives/xacml/200802/msg00020.html 5 people giving panel, telling people about rsa interop Hal, Anil S., Tony, Bill, Sunil Madhu(Cisco/Securent) Andreas Sjooholm link sent to xacml list, click on prg go to 10:10 - 11:00 Issues Proposal for Context Note Change re: xPath http://lists.oasis-open.org/archives/xacml/200802/msg00006.html Erik: optimizations difficult because xpath can point anywhere. Can't do partial evaluations. Hal: should go ahead w it Erik: no known open issues Content node will be the default xpath xpath cannot climb out of this root, but possible to get around it. pdp might optimize query if you don't do it in particular way. recommend making private copy of request if want to get out. v3 "Practicalities" http://lists.oasis-open.org/archives/xacml/200802/msg00007.html Erik: duplicate combiners element, jaxb Hal: probably a typo/ upper line probably in by mistake Erik: remove the first one. 2nd issue: Hal: xml schema defaults are becoming controversial: inconsistent and can cause sigs to break, etc. Anil. S. 3.0 only, Erik: no chgs to 2.0 Anil: versions? Erik: vesions of Policy not schema Erik: effect of mandatory is to write them out, but that is not really a default it is just a hard defn in 3.0 only Version and MustBePresent are impacted. Hal: recommendation is to go ahead, make attrs mandatory Updated Obligations Proposal http://lists.oasis-open.org/archives/xacml/200802/msg00008.html http://lists.oasis-open.org/archives/xacml/200802/msg00015.html http://lists.oasis-open.org/archives/xacml/200802/msg00018.html Bill and Erik had recommendations: Erik: 2 things: 1. defined request format, part of families is defining metadata 2. defined timing attr proposed by David Chadwick define what obligations before/after access if after: make sure service has been delivered before billing authority: side effects of access visible to obl before it is enforced. David O is asking for authorities that interact with each other. Hal: what database info is visible at given point Erik: atomicity is about success, wouldn't apply obl if access is unsuccessful. Bill: original intent of obls, timing of access and when obl carried out may be different, can't really bound it. need a "tried long enough" moment, so introduce ttl Hal: obl that are carried out in future: ex destroy data in 30 d. maybe don't want to "start" for 30 d, or it's an upper bound Bill: billing situation, if x allowed, expect y Hal: issue where boundary of obl semantics really ends - beyond xacml purpose: do better job "combining" obls, not to build out new functionality. Anil Seldhana: had proposal on obl on wiki: will send email to point people there. 1) The wiki on Obligations I referred during the meeting is: http://wiki.oasis-open.org/xacml/ProposalForObligations I was interested in knowing whether my comments on the wiki were considered by Bill/Erik. Updated Administration Schema http://lists.oasis-open.org/archives/xacml/200802/msg00014.html updated 2 sections out of date Hal: how general does it have to be - just cover access subject? Erik: potential for loops Hal: put resource limits on policy evaluations; hard to detect a loop. Erik: different categories, maybe when you come thru loop 2nd time you are doing something different. Hal: would be nice to have some valid use cases. Erik: 2 more sections: removing policies: made non-normative suggestion and issues around mgmt of removals added conformance section: reduction of functionaliy not couple 2 unrelated things. PDP Meta Schema Proposal http://lists.oasis-open.org/archives/xacml/200802/msg00016.html http://lists.oasis-open.org/archives/xacml/200802/msg00017.html Erik: proposal: schema; pdp can declare what fcns it supports, it's extensible; ex for Obligations family can publish what families pdp implements. Hal: what about administrative attributes (metadata) Hal: is there default Rule combining reqd? Erik: ex schema has combing algorithm Hal: reduction of admin policies that enable non-root, are attrs of admin those current or those at time policy was created. Typically attr updates are historically lost as to when/why. Hal: good start on schema, looking for more suggestions. Hal: what about publishing optional capabilties Erik: it does. Bill: say what obl families supported
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]