FW: [xacml] Groups - Export Control - U.S. (EC-US)

["Tolbert, John W" <john.w.tolbert@boeing.com>]

Replies inline...

>Section 2.2, about subject nationality: It uses "RECOMMENDED" for the
use of ISO country codes. Maybe this should be MUST to make it more
interoperable?

JT: We had thought that it might be better to leave it up to
implementers to decide if they should use 2- or 3-letter country codes.


>Also, it's unclear to me whether the "nationality" attribute lists only
those nations where the subject is currently a citizen, or all
nationalities the subject has possessed. It doesn't say the latter, but
I am asking because there is also a "current-nationality". What's the
difference? Is the difference that current nationality is single valued
while "nationality" may be multi valued. But then, why would the most
recently assigned nationality be special? 

JT:  Current nationality is used for EAR; all nationalities are
considered for ITAR.  We would expect that all nationalities would be
returned in a bag of attribute values for ITAR decisions.

>Section 2.2.3, the location attribute: Do you need a value for if the
subject is located outside any country, like on international waters? 
BTW, the same about citizenship. there are people who have no
citizenship.

JT: It is my understanding that you couldn't legally ship to
"international waters" or to a person without citizenship status.  Cases
where null values in those attributes occur should yield a "Deny"
decision.

>BTW, the location attribute may be difficult to authenticate securely
since it very easy to proxy a network connection through a middle man
located wherever in the world.

JT: Agreed.  We're hoping that mechanisms that provide better assurance
will be developed.  

>2.2.5: what is the definition of a "US person". Maybe you can refer to
some EC law which defines it?

JT:  See http://www.access.gpo.gov/bis/ear/pdf/744.pdf  

>General: Would it be good if there were some general text which
explains why these attributes are sufficient and/or useful for the
purposes of export control?

JT: See http://www.bis.doc.gov/licensing/exportingbasics.htm.  This is a
really good resource.

Thanks

-----Original Message-----
From: Erik Rissanen [mailto:erik@axiomatics.com]
Sent: Monday, May 18, 2009 8:02 AM
To: Tolbert, John W
Cc: xacml@lists.oasis-open.org
Subject: Re: [xacml] Groups - Export Control - U.S. (EC-US)
(xacml-3.0-ec-us-v1-spec-wd-01-en.doc)uploaded

Hello John,

This looks good to me. A couple of notes:

Section 2.2, about subject nationality: It uses "RECOMMENDED" for the
use of ISO country codes. Maybe this should be MUST to make it more
interoperable?

Also, it's unclear to me whether the "nationality" attribute lists only
those nations where the subject is currently a citizen, or all
nationalities the subject has possessed. It doesn't say the latter, but
I am asking because there is also a "current-nationality". What's the
difference? Is the difference that current nationality is single valued
while "nationality" may be multi valued. But then, why would the most
recently assigned nationality be special? The doc is probably as you
intended, but for me reading, it's a bit confusing why it would be like
this. But I don't know much about the US EC regulations... :-)

Section 2.2.3, the location attribute: Do you need a value for if the
subject is located outside any country, like on international waters? 
BTW, the same about citizenship. there are people who have no
citizenship.

BTW, the location attribute may be difficult to authenticate securely
since it very easy to proxy a network connection through a middle man
located wherever in the world.

2.2.5: what is the definition of a "US person". Maybe you can refer to
some EC law which defines it?

General: Would it be good if there were some general text which explains
why these attributes are sufficient and/or useful for the purposes of
export control?

Best regards,
Erik



john.w.tolbert@boeing.com wrote:
> Working draft for XACML EC-US profile (export control - US).
> 
>  -- Mr. John Tolbert
> 
> The document named Export Control - U.S. (EC-US)
> (xacml-3.0-ec-us-v1-spec-wd-01-en.doc) has been submitted by Mr. John 
> Tolbert to the OASIS eXtensible Access Control Markup Language (XACML)

> TC document repository.
> 
> Document Description:
> Profile listing attributes for using XACML to make export control (US)

> authorization decisions.
> 
> View Document Details:
> http://www.oasis-open.org/committees/document.php?document_id=32131
> 
> Download Document:  
> http://www.oasis-open.org/committees/download.php/32131/xacml-3.0-ec-u
> s-v1-spec-wd-01-en.doc
> 
> 
> PLEASE NOTE:  If the above links do not work for you, your email 
> application may be breaking the link into two pieces.  You may be able

> to copy and paste the entire link address into the address field of
your web browser.
> 
> -OASIS Open Administration