Re: [xacml] Making progress?

["Rich.Levinson" <rich.levinson@oracle.com>]

Hi Erik,

Unfortunately I missed the meeting this morning, however, Hal filled me 
in on some details. In particular, Hal mentioned that in the Boeing 
presentation that there was indicated a requirement for having 
Obligations available at the Rule level, while they are currently 
available only at the Policy level. This was also mentioned in today's 
minutes, but it is not clear from the minutes or a quick read of the 
presentation referred to in the minutes what the exact requirements are:
http://lists.oasis-open.org/archives/xacml/200812/msg00008.html
In any event, based on the partial information, I will take a stab at a 
possible means to address this issue.

One aspect of the discussion on issue 66 is that we agreed there is 
essentially an "extra layer" in the PolicySet/Policy/Rule hierarchy, 
which can effectively be removed using the uniform extended combining 
algorithms we discussed in earlier emails:
http://lists.oasis-open.org/archives/xacml/200811/msg00040.html

As a result of this uniformity, there is no longer any compelling reason 
to have more than one Rule in a Policy. i.e. if you have n Rules in a 
Policy and decide you want "1-rule" Policies, then you can simply change 
the parent Policy to a PolicySet and replace each Rule with a Policy 
containing only that Rule. This will enable one to effectively apply 
Obligations at the Rule level since all you need to do is apply the 
Obligations to the Policy containing the single Rule.

I am not sure if that addresses the requirements as stated at today's 
meeting, but would be interested to know if it does, or if there are 
additional requirements that this would not cover.

    Thanks,
    Rich


Erik Rissanen wrote:
> All,
>
> Could we get some more discussion on the open issues on the list so I 
> could write up a tentative working draft in good time before the next 
> meeting?
>
> Having long technical discussions on the calls only is very 
> inefficient. During the call today we spent 50 minutes discussing a 
> single issue, and we had an almost as long discussion on the same 
> issue last time. It would be much better if we could have more 
> discussion on the list so we can make more decisions on the TC calls. 
> Going like this means that we have many more months before we have a 
> committee draft.
>
> If I can get a rough direction on the following issues, I can edit the 
> specs for review before the next meeting so we can hopefully approve 
> them on the next call. Otherwise the whole thing is going to slip into 
> the holidays and get delayed even more.
>
> - Issue #66: policy combining. Should we fix the combining algorithm 
> bias and should we extend the indeterminate?
>
> - The small issues in the SAML profile. Can I get feedback on them? 
> Hal has promised to fix the wording of the returned request in the 
> SAML XACML Authz response.
>
> - I also propose that we extend the schema so a Rule can contain 
> obligations in the same way as Policies/PolicySets. This means that we 
> avoid the need of rewriting rules into policies in some cases.
>
> Best regards,
> Erik
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php