Minutes 26 February 2009 TC meeting

["Rich.Levinson" <rich.levinson@oracle.com>]

--------------------------------------------------------------------------------

Time: 10:00 am EDT
Tel: 512-225-3050 Access Code: 65998

Proposed Agenda for 26-Feb-09 TC Meeting:

10:00 - 10:05 Roll Call

Voting Members

Erik Rissanen  	Axiomatics AB
Bill Parducci	Individual
Rich Levinson 	Oracle Corporation
Hal Lockhart 	Oracle Corporation
Anil Saldhana 	Red Hat
John Tolbert 	The Boeing Company

Members

Anthony Nadalin 	IBM

  We have quorum

10:05 - 10:15 Administrivia

Approve Minutes
 19 February 2009 TC Meeting Minutes
  http://lists.oasis-open.org/archives/xacml/200902/msg00039.html

  accepted, no objection

 Meeting schedule:

  will continue to meet weekly thru the end of March, then
   revisit

 RSA Conference: April: 
  Hal planning to give "advanced talk"

   no more info

10:15 - 11:00 Issues

[Documents posted]

Proposed rev: Hierarchical Resource Profile uploaded by Rich (2/23): 
(re: issue below)
 http://lists.oasis-open.org/archives/xacml/200902/msg00056.html

  discuss below

XACML 3.0 Core WD08 uploaded by Erik (2/5): (reminder, for review)
 http://lists.oasis-open.org/archives/xacml/200902/msg00003.html

  reminder to people: review

[New Issues]

Comment on combining algorithms in Core WD07
 Erik reply fix is made (is it in wd8 or next?)
  http://lists.oasis-open.org/archives/xacml/200902/msg00054.html

    Erik: planned for WD09


Hierarchical profile
 Rich raised need for addressing a severe issue, based on results
 of in-depth discussions last week in addition to Jan discussions:
  http://lists.oasis-open.org/archives/xacml/200902/msg00055.html
 also provided proposed changes to spec to address issues:
  http://lists.oasis-open.org/archives/xacml/200902/msg00056.html

 STATUS: OPEN

   Rich: explained the proposal

   discussion: mostly on following topics:

     differences in ancestor collection and how done in 
      both schemes: DAG and forest

     conceptualization of forest, which is disjoint, having
      "intersections" - the concept in the proposal is that
      the resources themselves should be viewed as an unstructured
      collection, which has org applied to it in the form of
      hierarchies.
      In the forest scheme, Hal suggested each defined hierarchy
      has a different distinguishing color, so one can see that
      a particular resource might have multiple lines crossing
      it, one for each hierarchy of which it is a member.
      The same conceptualization applies to DAG as well, except
      does not show spreading of DAG hierarchies to include
      automatic members that are children of parents from the
      original hierarchy where the children were not in that
      hierarchy the parent belonged to, but are now because they
      are the child of that parent from a different hierarchy
      that they both did originally belong to.

   ACTION: rich: provide an easy example in separate email;
           other TC members: review proposal


[carryover from previous meetings]

Open Issues in SAML Profile
 any status changes on actions (see minutes):
  1. Disallow inheritance semantics from request data; Suggested
    proposed text in this email:
     http://lists.oasis-open.org/archives/xacml/200902/msg00013.html
  2.Required methods to obtain policies from refs: none or some? 
     Generally: what to do about "missing policie"
 Hal indicated would provide a proposal on ws-fed attr type stuff

  Comments indicated all ok and rev in progress.

Multiple Request Proposal
 Erik proposal to add MultiRequest element to core schema:
  http://lists.oasis-open.org/archives/xacml/200902/msg00014.html

 STATUS: OPEN
   still was question on xml:id; where do we stand overall
   on what's next here?

  Hal using xml:id now, in 2009, is way to go. 5 yrs ago, the
	canonicalization did not work correctly but now it does
	people now using exclusive canonicalization
	no reason not to use it.

  Hal: do not need to declare xml:id
  Erik: tried it, but there was problem
  Hal: possibly parser used is not supporting xml:id
  
  Erik: xsd specification is how you use xml: namespace

  Rich: sig pkgs use id without schema validation
  Hal: need to declare the ids

  Erik: "note D2" of xml:id spec is the "issue" 
  Hal: drop not to Norm Walsh of Sun, one of spec's authors
  spec is - "xml:id Version 1.0": w3c tr recommendation
   http://www.w3.org/TR/xml-id/
  this note points to "Minimally conforming schema processor",
  which sounds like ability to handle xml:id w/o other schema
  validation, also it says 
	"Note that the effects of a Minimally Conforming Schema 
	Processor, processing the above schema, are approximated 
	by simply looking for attributes named xml:id, ensuring 
	the value of such attributes has the correct lexical form 
	(NCName), and the value is unique within the document."

 ACTION: Erik to drop A notE to Norm Walsh of Sun, one of spec's 
  authors, based upon Hal's suggestion

RBAC Profile
 no change: if proposal is delivered for Role Enablement Authority
  capabilities or example of best practices, we will evaluate. Note:
  profile already does provide specific URN to indicate an REA:
   "urn:oasis:names:tc:xacml:2.0:subject-category:role-enablement-authority"
  presumably an example would build on this foundation.