Minutes for 9 September 2010 TC Meeting

["Rich.Levinson" <rich.levinson@oracle.com>]

Minutes for 9 September 2010 TC Meeting:

Time: 13:00 EDT
Tel: 513-241-0892 Access Code: 65998

13:00 - 13:05 Roll Call & Approve Minutes from prev mtg:

Roll Call:

Voting Members:
Erik Rissanen  	Axiomatics AB
Paul Tyson 	Bell Helicopter Textron Inc.
Gareth Richards EMC Corporation
Naomaru Itoi 	NextLabs, Inc.
Dilli Arumugam 	Oracle Corporation
Rich Levinson 	Oracle Corporation
Hal Lockhart 	Oracle Corporation
John Tolbert 	The Boeing Company
John Davis 	Veterans Health Administration
David Staggs 	Veterans Health Administration

Members:
Sridhar Muppidi IBM
Jan Herrmann 	Individual
Duane DeCouteau Veterans Health Administration

	have quorum based on voting members


Approve Minutes:
12 Aug 2010 TC Meeting:
  http://lists.oasis-open.org/archives/xacml/201008/msg00006.html

	approved no objection

13:05-13:10
Administrivia:

    Identity Management 2010
    Worldwide Identity Solutions for Online Security, Privacy and Trust
    27-28 September, Washington, DC  USA
    http://events.oasis-open.org/home/IDM/2010
 see emails:
  http://lists.oasis-open.org/archives/xacml/201008/msg00007.html
  http://lists.oasis-open.org/archives/xacml/201009/msg00000.html

	noted:

13:10-14:00

XACML v3 Status:
  Next steps:
     All 8 specs are CS, we were going to check that TC-Admin
	did the necessary updates.
     To move to OASIS Specification need 3 members to confirm 
	they are using specs in conformance w the clauses
	in each spec.
	 - the core and profiles can proceed independently in general,
	    assuming no dependencies.

	noted:


Export and IPC specs:
  TC Admin issues were addressed, ballots were issued:
	Both ballots approved doc as a Committee Specification:
		vote on each was: 9-0-0

	noted:


New Issues:
A paper about extending XACML to specify quantified risk adaptive access control
 http://lists.oasis-open.org/archives/xacml/201008/msg00008.html

    is there a proposal for risk adaptive?

    Hal: nothing has been explicitly proposed yet. But no
	reason why not.
    John: been talking internally, conv last year w David Chadwick on
	break the glass; this paper is similar, can be done w
	xacml today

    Hal: something was proposed at NIST a year ago?

    John: yes, that material has been ref'd

    Hal: profiling of attrs might be interesting, but a generalized
	scheme would not in and of itself accomplish much

 new issue from Jan: obligations satisfied by PEP?
Is there a reason why the core spec recommends/?constrains implementations
that obligations have to be fulfilled in the pep and not in the ctx handler.
  http://lists.oasis-open.org/archives/xacml/201009/msg00002.html

   Hal: obs have been described as open-ended hook; in 2.0 interlock
	obs w granting access; in 3.0 we added advice to preserve
	open-ended hook; pep has responsibility
	context handler (CH) is basically an integration translation piece;

   Jan: where statement; policy admin has knowledge different from
	intercepted format ...

   Hal: this is described in some of Jan's published work, and maybe
	we need a summary context description to use as basis to
	discuss this at more length

	major arch distinction - cell phones, web services, ... environments
	matter.

   Paul: arch fits into strict division of business rules. If Bus Intelligence
	(BI) is in the rules ... There are a lot of things that could
	be handled by CH. Obligations are more strict business logic;

   Hal: thinks this choice might simply be that an impl choice based
	on specific environment, but need more info.

   Paul: if pep can't do it in 3.0, fall back to bias.

   Hal: maybe 3.0 could use advice instead. Also profile on Obligation
	Familys could still be used to address things of this nature.

   Jan: will post some guidelines to the group to get some feedback.

   Hal: not aware of any doc that defines obl identifiers.

   Jan: will send email to group

   Mike: issue of obl interoperability; have had need to pass obls
	from one access ctl sys to another in interoperable way.

   Hal: obl essentially rep'd by an identifier; issue is when the
	identifier has semantic interoperable meaning.

   Mike: just raising awareness, not explicitly proposing at this time.

   Mike: in responding to feqForInfo, how that info should be used;
	from healthcare poview, patient places restrictions, etc.

   Paul: enh in obl area should incorporate std rule language in obl,
	which extends beyond "simple" list of attrs.
	could set up svc to identify the rules etc.

   Mike: along lines proposing business case for

   Hal: similar to luxembourg mtg year ago: sticky policy, that party
	accepting data accepted attached policy as well.

 -> Hal: any reqts that people posted to list would help further this
	"issue" along.


Old Issues
User is asking why:
 "'3.1 Nodes in an XML document' requiring that not only
   should one include a resource-id of type xpath-expression for the node
   that is the resource for the access decision but also its parent and
   all ancestors. Why is this required by the spec? Why is it necessary."

 This should already be addressed in 3.0 hier profile;
   should we consider updating the 2.0 hier profile w errata?

    hal: why 2.0 hier profile requires redundant info, has been
	cleaned up in 3.0; Errata for 2.0? No explicit process
	impression is 3.0 profile could be used w 2.0 engine;
    erik: not exactly because there are some defns for 3.0
    hal: bottom line: errata won't fly
    hal: did start an implementer's guide;
 ->  rich: maybe can resurrect it. Will look into it

	

 WrapUp:

	Next call in 2 weeks: sep 23, same time, phone #

	Meeting adjourned: 1:40PM