[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML F2F Day 3, Dec 10, 2009: Raw notes from meeting
see attached
!***************** 12/10/09: XACML F2F Day 3 Presentations: Rich: AzApi, OpenAz pres Nao: NextLabs distributed pdp client embedded pres Discussion: Post 3.0 topics of interest Sridhar: profile consolidation: Martin: DOHS, concern about sprouting of too many profiles want something to work across wide space: strategy for markup of documents interoperability across wide space: thousands of people need to interpret rules, attributes in same way policies: really dev'd by lawyers, hippa, privacy, etc. can't be chasing urls as description of resource Hal: xspa profile: were using concepts dev'd in hl7 w/o/r to xacml at all; tap into orgs that have bodies of metadata and build profiles around that: so it is not blank piece of paper. another area: hierarchical resources: can only get so far and need a lot more in resource attrs (as opposed to subject attrs) almost nothing for res props access method syntax, semantics, etc. Martin: national info exchange model - threatening to spread across fed gov as std: hss name folks cooperative approach In practice policies settled; look like legal expressions, medical examples in tc doc; dr can't see patient etc rules what he's looking for, but if at end of url was the model it would be difficult to make work. Hal: Ulrich had notions of hi level policy modeling, derive attrs from that etc. abstract out parts of policies at mgr/lawyer level, as opposed to IT-oriented detail logic structures. Martin: 2 parts of policy: protection level of data, distr level for data: trying to simplify protections to simple levels. On distribution side: a law officer assigned to case can see info related to the case; pii personally identifiable identification at time of creation, they know "facts", but don't know access decisions details. based on policy computation. Paul: implementing govt regs: export control: could be put in xacml policies and distr to companies that deal with it. John and Paul dev'd EC profile w attrs that apply; trying to get dept attention to address regulation can be put in xacml as long as there is vocabulary and ontology framework for the data. Martin: law-oriented people are not well positioned for actually specifying these policies within IT environment. Jan: have similar type problems: some profiles for web services access; vs profiles that restrict attr-ids in certain use cases rules are generic mechanism to define a profile thru xacml rules; prevents "explosion" of rules, i.e. having rules about rules. How to use xacml to control how rules and attr-ids can be used. Sridhar: how do you config policies to enforce. Hal: best practices; styles, templates; xacml-users email intended to be focal point at the level No reqt that all work done in xacml tc; for example ogc stds do not need to get pulled into xacml tc, as long as it is well known what process is. Martin: person ontology; need awareness of how policies impact individuals. Policies tell you attrs and markup that you need. Hal: tc can serve as focal point being repository of info. John: doesn't expect agencies to start writing policies in near term. For a while at least some prototyping appls for particular use cases. Current profiles are still too general (hier, multiple) need strategy for new profiles to scope use case verticals. Jan: generic mechanisms to get profile; we could have another conf to pull people together to get to next level. Hal: workshop like in openliberty? Nao: tc needs involvement in some nature hal: defining xacml for industry specific context don't need the tc; xspa started by founding their own tc. No tech people from tech vendors joined tc, because of IP conditions. John: comments emailed: Some post 3.0 topics: Maturation and expansion of AzAPI XACML for non-XML/non-web resources: non-XML files, databases, structured data, filesystems, etc. Additional profile templates: resource profiles for new types of resources (such as Hierarchical, Multi, ODF Document Controls), attribute collection profiles (EC-US, IPC, XSPA as examples) for vertical industries or common use cases Resource tagging standardization effort Higher-order language for policy authoring Hal: idea from 2002: define specific profiles of xacml that let you emulate domains, express domains in xacml, ability to analyze things. windows intf could leave same and change info to be in xacml form. Paul: not sure what profile would look like for that, but have done profiles to distinguisn native vs enterprise representations Jan: ex. express policy in grant statements then express in xacml? Hal: move to env where policies expressed in xacml. Nao: in future appls become peps themselves, don't worry about making peps anymore. great first step what hal suggested John: second hal on way to help preload policy authority if able to survey existing policy env Martin: lot of bad policy out there: tools available: group membership, etc. not relevant to what actual policies need to be according to laws and regulation To gather data on people end up w big database about people that is not particularly usable. Disfunctional: don't have info Hal: policy may not be best model; always a compromise about what info is processed by policy; validity of data for example would be prereq to use in policy. Martin: sees it stated that az protection is local: thinks that's wrong and there are broad uses if data was available and releable. Hal: Final comments: John: model based security paradigm: higher order authoring level that doesn't require xacml knowledge. Erik: future consideration: stateful policies. Sridhar: can write policy that includes state attrs as consideration Jan: already there: model state in category env: Erik: dynamically changing due date; Hal: that and ? were discussed at workshop certain kinds of reqts can be reached w certain constraints, ex. single point of failure reqd for separation of control inherently needs to be one point in network that "knows" Nao: how to make it easy to use xacml: azapi from rich, hi level lang from john, others from hal Afternoon session day 3: David Chadwick issue: Hal: propose: not change core schema; change saml profile to put any at end and pep returns indeterminate; lax or strict schema checking; lax,strict,skip proposal is to put in XACML-3.0-cd-1.updated-2009-May-07\XSD\ xacml-3.0-profile-saml2.0-v2-schema-protocol-cd1.xsd just in time policies that arrive just in time for current request; as long as there is chain of admin policies that the policy is ok. Basically, policies provided must be understood one way or another to determine if relevant, and if can't be read, then pdp doesn't know what it is and must reject the request. 2:30 wrap-up discussions: Erik/Hal: Not allowed to list non-members on spec; even if past members, Hal will look into specifics Hal: can state intention to update refs w pending url finalization, for example. Hal: metadata w identifiers for conformance clauses. ex profiles have 1-5 conformance clauses; Hal/Erik: consider conformance wrt conformance tests we have. In principle, system must conform w all the MUSTs; identifiers we will have a small number for each spec. Test cases are now in oasis, fix section 10.2 w ref Hal: suggests leaving things pretty much as is. Hal: before submission need to have 3 organizational oasis members attest to having used the spec w some sort of implementation. Meeting/F2F adjourned 3:33PM PT ************************!
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]