Minutes 26 March 2009 TC Meeting

["Rich.Levinson" <rich.levinson@oracle.com>]

Time: 10:00 am EDT
Tel: 512-225-3050 Access Code: 65998

Minutes for 26-Mar-09 XACML TC Meeting:


10:00 - 10:05 Roll Call & Approve Minutes

    Note: we are going back to bi-weekly schedule.
	Next meeting is April 9.

  Voting Members

    Erik Rissanen  	Axiomatics AB
    Rich Levinson 	Oracle Corporation
    Hal Lockhart 	Oracle Corporation
    Anil Saldhana 	Red Hat
    Dilli Arumugam 	Sun Microsystems
    John Tolbert 	The Boeing Company

  Members

    Anthony Nadalin 	IBM 	Group Member

  Notes:
    Dilli (should have been) promoted to voting member 
     before the call. 
    Tony became a voting member after the call.

	not sure if quorum


   19 March 2009 TC Meeting minutes to approve:
   http://lists.oasis-open.org/archives/xacml/200903/msg00089.html
   http://lists.oasis-open.org/archives/xacml/200903/msg00099.html

    above links are identical
    hold off approval to next mtg (4/9) in case we're not at quorum

10:05 - 10:10 Administrivia

   Volunteers for editorial cleanup request
   http://lists.oasis-open.org/archives/xacml/200903/msg00106.html

    Hal: fair amount of work to pass Mary's test.

     John Tolbert: core and saml
     Dilli also volunteers

    Hal: looking to go to cd 2 weeks from today (goal)
    Rich: aggressive?
    Hal: goal, maybe month

    Erik: try for 2 weeks

    Hal: we will try to have docs ready for April 9 mtg.

    John: how are we going to make changes? post to list?
    Hal: people signup for docs, post new drafts
    Rich: what is list of operations?
    Hal: oasis checklist, plus internal inconsistencies, fixing is
     easy when found.
    Rich: need care on identifiers
    Hal: identifiers all stay same; new are version 3.
    Hal: up front URIs can be left until we are ready for cd, oasis
     will assign us URI(s);
     Links on "members only" page; follow link to tech details: following
       links to oasis spec info/reqts for updates in prep for CD.

	http://www.oasis-open.org/members/
	http://docs.oasis-open.org/templates/
	http://docs.oasis-open.org/templates/QAChecklistV2.html
	http://docs.oasis-open.org/templates/TCHandbook/ConformanceGuidelines.html

   v3.0 Core, Draft 10 uploaded
   http://lists.oasis-open.org/archives/xacml/200903/msg00088.html

    Erik: corrections, plus Category on Obligations

   v3.0 XACML/SAML Profile, Draft 7 Uploaded
   http://lists.oasis-open.org/archives/xacml/200903/msg00109.html

    Hal: added new section in request section
	ws-fed: common claims dialect: indicated could do on xacml
	ws-trust: provides alternative both quite similar, should
	 be easy to support both in parallel

    Hal: will add an example in ws-trust section

   v3.0 Hierarchical Profile, Draft 6 uploaded
   http://lists.oasis-open.org/archives/xacml/200903/msg00107.html
    cover email for hierarchical
    http://lists.oasis-open.org/archives/xacml/200903/msg00105.html

    Hal: attempted to make changes based on earlier proposal 
     that Hal emailed;

     Hierarchical URI
     ancestor attributes: self, parent, ancestor, ancestor-or-self;
      also can use any xacml data type
      
     concern: the "one true name"; Hal thinks it is general issue,
      discussed in core security considerations;

     Rich's comments will be probably be incorporated at first glance

   Misc topics:
    Anil S: (arrived late): There is interop (next week) in Chicago 
	that he, David, Duane, others? working on.


10:10 - 11:00 Issues

   Obligation Question: "AttributeAssignment@Issuer"
   http://lists.oasis-open.org/archives/xacml/200903/msg00101.html

     Rich: optional Issuer attr add to Obligation: agreed w Erik.

   Discussion on WD 4 of Muliple Resource Profile
   http://lists.oasis-open.org/archives/xacml/200903/msg00102.html

     Erik: we don't send multiple response even though we have
      multiple requests
     Erik: If list is incorrect, there is only one Result.
     Rich: partial results should be reported
     Erik: basically ok

   Discussion on WD 6 of  Hierarchical Profile
   http://lists.oasis-open.org/archives/xacml/200903/msg00110.html

    Rich: multiple hierarchies should be described in some
	tangible manner so that operational bullets can be
	described clearly. 

    Hal: thinks we are in agreement will try to make some
	clarifications based on comments.

    Rich: below is some more detail on "what the concept is".
     Specific means of presenting the concept is not of concern,
     just that the concept gets across. One sidepoint is that
     within a given "hierarchy" there is no problem if that
     single hierarchy is a DAG w multiple roots. The only concern
     is that the DAG properties of one hierarchy not "spill over"
     into other hierarchies. Since the DAG, itself, may be the
     result of combining multiple hierarchies, that may be where
     the confusion originated. In this case if multiple original
     hierarchies are combined into a DAG for some subset (M<=N) of 
     thetotal set of original hierarchies, that is no problem. 
     There will then be a new set of "original hierarchies consisting
     of the DAG plus the N-M remaining hierarchies that were not
     combined into the DAG. In this case in the description below
     the resources originally would have had N slots. Now they
     would have N-M+1 slots. 

	  For example, if a resource can be envisioned as 
	  having a set of "slots", each of which is assigned 
	  to one of N possible hierarchy memberships, then
	  if the resource has an entry in some subset of those
	  slots, then the value would be its "identifier" 
	  within that particular hierarchy.

	  Whenever the organization managing the resources
	  decided it had some new hierarchical structure that
	  it wanted to use with some or all of the resources,
	  then a new "slot" would be created identifying the
	  new hierarchy. i.e. these "slots" would have two
	  components: 1. a unique identifier for the hierarchy
	  with which the slot is associated. 2. an identifier
	  for the resource by which it is known in that 
	  hierarchy, which as discussed can be of any xacml
	  datatype. Each hierarchy has its own rules for its
	  own members in terms of naming.

	  Also, a resource typically would only need to hold
	  the slots for which it is a member. If it only belonged
	  to one hierarchy, it would have one slot with the
	  name of the hierarchy, and its name within the
	  hierarchy. 

	  My point is not to go overboard on how a resource's
 	  membership in multiple hierarchies is implemented,
	  just the notion that there is some kind of mechanism
	  that serves the overall purpose. Another analogy would
	  be the credit cards in a person's wallet. If you had
	  3 credit cards you'd be a member of 3 credit card
	  hierarchies, each separate and distinct, but their
	  identifiers are all collected together conveniently
	  in your wallet. Similar for resources: they would
	  have a wallet of "slots" etc.