XACML F2F Day 3, Dec 10, 2009: Raw notes from meeting

["Rich.Levinson" <rich.levinson@oracle.com>]

see attached
!*****************

    12/10/09:
	XACML F2F Day 3


      Presentations:

	Rich: AzApi, OpenAz pres

	Nao: NextLabs distributed pdp client embedded pres

      Discussion: Post 3.0 topics of interest

	Sridhar: profile consolidation:

      Martin: DOHS, 
	concern about sprouting of too many profiles
	  want something to work across wide space:
	strategy for markup of documents
	interoperability across wide space: thousands of people
	need to interpret rules, attributes in same way

	policies: really dev'd by lawyers, hippa, privacy, etc.
	 can't be chasing urls as description of resource

      Hal: xspa profile: were using concepts dev'd in hl7 w/o/r
	to xacml at all; tap into orgs that have bodies of metadata
	and build profiles around that: so it is not blank
	piece of paper.

	another area: hierarchical resources: can only get so far
	 and need a lot more in resource attrs (as opposed to
	 subject attrs) almost nothing for res props access method
	 syntax, semantics, etc.

       Martin: national info exchange model - threatening to spread
	across fed gov as std: hss name folks cooperative approach

	In practice policies settled; look like legal expressions,
	medical examples in tc doc; dr can't see patient etc rules
	what he's looking for, but if at end of url was the model
	it would be difficult to make work.

      Hal: Ulrich had notions of hi level policy modeling, derive
	attrs from that etc.
	abstract out parts of policies at mgr/lawyer level, as opposed
	to IT-oriented detail logic structures.

      Martin: 2 parts of policy: protection level of data, distr level
	for data: trying to simplify protections to simple levels.
	On distribution side: a law officer assigned to case can see
	info related to the case; pii personally identifiable identification

	at time of creation, they know "facts", but don't know access
	decisions details. based on policy computation.

      Paul: implementing govt regs: export control: could be put in
	xacml policies and distr to companies that deal with it. John
	and Paul dev'd EC profile w attrs that apply; trying to get
	dept attention to address

	regulation can be put in xacml as long as there is vocabulary
	and ontology framework for the data.

      Martin: law-oriented people are not well positioned for actually
	specifying these policies within IT environment.

      Jan: have similar type problems: some profiles for web services
	access; vs profiles that restrict attr-ids in certain use cases
	rules are generic mechanism to define a profile thru xacml
	rules; prevents "explosion" of rules, i.e. having rules about
	rules. How to use xacml to control how rules and attr-ids
	can be used.

      Sridhar: how do you config policies to enforce.

      Hal: best practices; styles, templates; xacml-users email intended
	to be focal point at the level
	No reqt that all work done in xacml tc; for example ogc stds
	do not need to get pulled into xacml tc, as long as it is
	well known what process is.

      Martin: person ontology; need awareness of how policies impact
	individuals. Policies tell you attrs and markup that you
	need.

      Hal: tc can serve as focal point being repository of info.

      John: doesn't expect agencies to start writing policies in near
	term. For a while at least some prototyping appls for particular
	use cases.

	Current profiles are still too general (hier, multiple) need
	strategy for new profiles to scope use case verticals.

      Jan: generic mechanisms to get profile; we could have another
	conf to pull people together to get to next level.

      Hal: workshop like in openliberty?

      Nao: tc needs involvement in some nature

      hal: defining xacml for industry specific context don't need the
	tc; xspa started by founding their own tc. No tech people from
	tech vendors joined tc, because of IP conditions.

      John: comments emailed:

	Some post 3.0 topics:

	Maturation and expansion of AzAPI

	XACML for non-XML/non-web resources:  non-XML files, databases, 
	structured data, filesystems, etc.

	Additional profile templates:  resource profiles for new types 
	of resources (such as Hierarchical, Multi, ODF Document Controls), 
	attribute collection profiles (EC-US, IPC, XSPA as examples) for 
	vertical industries or common use cases

	Resource tagging standardization effort

	Higher-order language for policy authoring

      Hal: idea from 2002: define specific profiles of xacml that let
	you emulate domains, express domains in xacml, ability
	to analyze things. windows intf could leave same and change
	info to be in xacml form.

      Paul: not sure what profile would look like for that, but have
	done profiles to distinguisn native vs enterprise representations

      Jan: ex. express policy in grant statements then express in xacml?

      Hal: move to env where policies expressed in xacml.

      Nao: in future appls become peps themselves, don't worry about
	making peps anymore. great first step what hal suggested

      John: second hal on way to help preload policy
	authority if able to survey existing policy env

      Martin: lot of bad policy out there: tools available: group
	membership, etc. not relevant to what actual policies need
	to be according to laws and regulation

	To gather data on people end up w big database about people
	that is not particularly usable. Disfunctional: don't have 
	info 

      Hal: policy may not be best model; always a compromise about what
	info is processed by policy; validity of data for example would
	be prereq to use in policy.

      Martin: sees it stated that az protection is local: thinks that's
	wrong and there are broad uses if data was available and releable.

      Hal: Final comments:

      John: model based security paradigm: higher order authoring level
	that doesn't require xacml knowledge.

      Erik: future consideration: stateful policies.

      Sridhar: can write policy that includes state attrs as consideration

      Jan: already there: model state in category env:

      Erik: dynamically changing due date;

      Hal: that and ? were discussed at workshop
	certain kinds of reqts can be reached w certain constraints,
	ex. single point of failure reqd for separation of control

 	inherently needs to be one point in network that "knows"

      Nao: how to make it easy to use xacml: azapi from rich, hi level
	lang from john, others from hal


    Afternoon session day 3:

      David Chadwick issue:
	Hal: propose: not change core schema;
	change saml profile to put any at end
	and pep returns indeterminate;
	lax or strict schema checking;

	lax,strict,skip

    proposal is to put in XACML-3.0-cd-1.updated-2009-May-07\XSD\
		xacml-3.0-profile-saml2.0-v2-schema-protocol-cd1.xsd

	just in time policies that arrive just in time for current
	request; as long as there is chain of admin policies that
	the policy is ok.

	Basically, policies provided must be understood one way or
	another to determine if relevant, and if can't be read, then
	pdp doesn't know what it is and must reject the request.


    2:30 wrap-up discussions:

	Erik/Hal: Not allowed to list non-members on spec;
	 even if past members, Hal will look into specifics

	Hal: can state intention to update refs w pending url
	 finalization, for example.

	Hal: metadata w identifiers for conformance clauses.
	 ex profiles have 1-5 conformance clauses;

	Hal/Erik: consider conformance wrt conformance tests we have.

	In principle, system must conform w all the MUSTs; identifiers
	we will have a small number for each spec.

	Test cases are now in oasis, fix section 10.2 w ref

	Hal: suggests leaving things pretty much as is.

	Hal: before submission need to have 3 organizational oasis
	members attest to having used the spec w some sort of
	implementation.

	Meeting/F2F adjourned 3:33PM PT



************************!