[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Minutes of XACML TC mtg: 3-Jul-08
All, There is a small error in the minutes. I think we decided to adopt the proposals made on Security considerations for the access-permitted function http://lists.oasis-open.org/archives/xacml/200806/msg00044.html and Issue 89, Adding a description element http://lists.oasis-open.org/archives/xacml/200806/msg00047.html But the minutes do not state the decisions were made. Best regards, Erik Rich.Levinson wrote: > Minutes of XACML TC mtg: 3-Jul-08: > > Time: 10:00 am EDT > Tel: 512-225-3050 Access Code: 65998 > > Attendance: > > Voting Members > > Erik Rissanen Axiomatics AB > Anthony Nadalin IBM > Rich Levinson Oracle Corporation > Hal Lockhart Oracle Corporation > Anil Saldhana Red Hat > Seth Proctor Sun Microsystems > David Staggs Veterans Health Administration > > Members > > Duane DeCouteau Veterans Health Administration > > OASIS Staff > > Dee Schur OASIS > > Note: > > Next call in 2 weeks Jul 19. Hal will probably not be able to > chair. Hopefully, Bill can handle. > > Agenda: ("Minutes" after each agenda item) > > 10:00 - 10:05 Roll Call & Minutes Approval > Vote on Minutes from 19 June TC Meeting > http://lists.oasis-open.org/archives/xacml/200806/msg00043.html > > Minutes approved. > > 10:05 - 10:10 Administrivia > > XACML Interop Update (London: Oct 2008) > http://lists.oasis-open.org/archives/xacml/200806/msg00038.html > > Dee: go to forum page: xacml listed Wed PM. > Cost is $500/participant company (we get to be in main castle > room) > Need commitments > Erik in > Tony - depends, for now, we're > Anil (red hat) in > David (VA) not present > Rich - probably not in > Dee says Sampo is probably in > > Duane will participate in mtgs and fill in details > > > SVN Status - Waiting for word from Jamie > > Legal issues on source control, still waiting > for details > Std boiler plate - issue by Deviant people if they > can use pieces of schemas etc. > > OGF document released for public comment: "Use of XACML > RequestContext..." > http://lists.oasis-open.org/archives/xacml/200806/msg00049.html > > Robin Cover distributed - geo space people want to stdize > around req/rsp protocol > > A dynamic revocation model for XACML > http://lists.oasis-open.org/archives/xacml/200807/msg00000.html > > Attributes of delegate when issued policy, if interested > read paper - whether current admin can revoke policies > created by previous admin. > Relies on attributes saved and signatures and is "somewhat > heavy to implement" > > 10:10 - 11:00 Issues > Issues #71 and #76 (multi-categories) > http://lists.oasis-open.org/archives/xacml/200806/msg00041.html > > Supporting multiple intermediaries, codebases. Hal now > agrees w Erik, don't want to add new functionality > for this. > > WS-XACML Review > http://lists.oasis-open.org/archives/xacml/200806/msg00029.html > > Hal: potentially a solution to reqt how do you know > what attr should be provided to PDP. Vocab could > be gleaned from policies, create an xml document > and say that is vocabulary, etc. > > Erik: think it's fine, raises reasonable things, if there > is a demand from users should consider moving it forward. > > Hal: if going to req from pdp, what attr to provide. > > Erik: also contains privacy policy, how enforced. > > Hal: philosophy same as obligations > > Erik: Anne sent ref to paper that describes protocol > setting to enforce - is concerned whether possible to > enforce at all. > > Hal: privacy work was with some academic people, but can > also be used for other purposes than privacy. As much > as possible leveraging machinery that already exists > access to pdp engines that already contain parsing > > Erik: xpath concern in there, WS-Policy dropped ignorable. > Anne had restriction on xpath that there would always > be unique - does not think it is sufficient, because can > use different namespaces to get around. > > Hal: still hopeful Daniel can get back in. > > Passing parameters to the attribute designator > http://lists.oasis-open.org/archives/xacml/200806/msg00042.html > > From Anil Tappetla: Erik been considering, understands > need for parameters, but no sure policy is right place > for it. Any semantics? Need to provide a use case to > better understand the issue. > Hal: maybe part of vocabulary, what is syntax of attrs > that policy can be found and how do you find them. > Erik: without more info would be inclined to say no. > > Security considerations for the access-permitted function > http://lists.oasis-open.org/archives/xacml/200806/msg00044.html > > Erik: in general fcn may not terminate. Limit on depth > is a problem. Propose a limit either in std or impl > based in metadata. > > Hal: this might be useful in metadata. > > Hal: attacker could send poison policy to mess up system. > > Issue 88, general xpath functions again > http://lists.oasis-open.org/archives/xacml/200806/msg00045.html > > Either general library or specific subset. xpath contains > data types that do not fit xacml in any way. > Craig/Erik: propose we make up specific fcns and refer to > xpath and not plug into full xpath. > Hal: purpose is manipulating request context. > Erik: this is our identifier and the functions does same > thing as the xpath spec. > Erik: we defined general import, but not a good idea, then > imported subset and found problems there. Now suggesting > we just have identifiers that have limited interpretation > but are equivalent to selected xpath specifics > > Issue 89, Adding a description element > http://lists.oasis-open.org/archives/xacml/200806/msg00047.html > > Either add to expression type or to apply. If you add to > apply will be more generally pervasive. > > A problem in the multiple resource profile > http://lists.oasis-open.org/archives/xacml/200806/msg00048.html > > Erik: in the policy can specify xpath version. Mult res prof > req does not have similar identification of version. > Add an element for 3.0 > > The duration data types > http://lists.oasis-open.org/archives/xacml/200807/msg00001.html > > Looks like oversight. However, if we add it then some of fcns > there become redundant. > Hal: intro new ones and give warning redundant will be > removed in future. Sometimes convenient to keep around. > Erik: adding date/time and year/month not the same. > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in > OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]