[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes for 9 September 2010 TC Meeting
Minutes for 9 September 2010 TC Meeting: Time: 13:00 EDT Tel: 513-241-0892 Access Code: 65998 13:00 - 13:05 Roll Call & Approve Minutes from prev mtg: Roll Call: Voting Members: Erik Rissanen Axiomatics AB Paul Tyson Bell Helicopter Textron Inc. Gareth Richards EMC Corporation Naomaru Itoi NextLabs, Inc. Dilli Arumugam Oracle Corporation Rich Levinson Oracle Corporation Hal Lockhart Oracle Corporation John Tolbert The Boeing Company John Davis Veterans Health Administration David Staggs Veterans Health Administration Members: Sridhar Muppidi IBM Jan Herrmann Individual Duane DeCouteau Veterans Health Administration have quorum based on voting members Approve Minutes: 12 Aug 2010 TC Meeting: http://lists.oasis-open.org/archives/xacml/201008/msg00006.html approved no objection 13:05-13:10 Administrivia: Identity Management 2010 Worldwide Identity Solutions for Online Security, Privacy and Trust 27-28 September, Washington, DC USA http://events.oasis-open.org/home/IDM/2010 see emails: http://lists.oasis-open.org/archives/xacml/201008/msg00007.html http://lists.oasis-open.org/archives/xacml/201009/msg00000.html noted: 13:10-14:00 XACML v3 Status: Next steps: All 8 specs are CS, we were going to check that TC-Admin did the necessary updates. To move to OASIS Specification need 3 members to confirm they are using specs in conformance w the clauses in each spec. - the core and profiles can proceed independently in general, assuming no dependencies. noted: Export and IPC specs: TC Admin issues were addressed, ballots were issued: Both ballots approved doc as a Committee Specification: vote on each was: 9-0-0 noted: New Issues: A paper about extending XACML to specify quantified risk adaptive access control http://lists.oasis-open.org/archives/xacml/201008/msg00008.html is there a proposal for risk adaptive? Hal: nothing has been explicitly proposed yet. But no reason why not. John: been talking internally, conv last year w David Chadwick on break the glass; this paper is similar, can be done w xacml today Hal: something was proposed at NIST a year ago? John: yes, that material has been ref'd Hal: profiling of attrs might be interesting, but a generalized scheme would not in and of itself accomplish much new issue from Jan: obligations satisfied by PEP? Is there a reason why the core spec recommends/?constrains implementations that obligations have to be fulfilled in the pep and not in the ctx handler. http://lists.oasis-open.org/archives/xacml/201009/msg00002.html Hal: obs have been described as open-ended hook; in 2.0 interlock obs w granting access; in 3.0 we added advice to preserve open-ended hook; pep has responsibility context handler (CH) is basically an integration translation piece; Jan: where statement; policy admin has knowledge different from intercepted format ... Hal: this is described in some of Jan's published work, and maybe we need a summary context description to use as basis to discuss this at more length major arch distinction - cell phones, web services, ... environments matter. Paul: arch fits into strict division of business rules. If Bus Intelligence (BI) is in the rules ... There are a lot of things that could be handled by CH. Obligations are more strict business logic; Hal: thinks this choice might simply be that an impl choice based on specific environment, but need more info. Paul: if pep can't do it in 3.0, fall back to bias. Hal: maybe 3.0 could use advice instead. Also profile on Obligation Familys could still be used to address things of this nature. Jan: will post some guidelines to the group to get some feedback. Hal: not aware of any doc that defines obl identifiers. Jan: will send email to group Mike: issue of obl interoperability; have had need to pass obls from one access ctl sys to another in interoperable way. Hal: obl essentially rep'd by an identifier; issue is when the identifier has semantic interoperable meaning. Mike: just raising awareness, not explicitly proposing at this time. Mike: in responding to feqForInfo, how that info should be used; from healthcare poview, patient places restrictions, etc. Paul: enh in obl area should incorporate std rule language in obl, which extends beyond "simple" list of attrs. could set up svc to identify the rules etc. Mike: along lines proposing business case for Hal: similar to luxembourg mtg year ago: sticky policy, that party accepting data accepted attached policy as well. -> Hal: any reqts that people posted to list would help further this "issue" along. Old Issues User is asking why: "'3.1 Nodes in an XML document' requiring that not only should one include a resource-id of type xpath-expression for the node that is the resource for the access decision but also its parent and all ancestors. Why is this required by the spec? Why is it necessary." This should already be addressed in 3.0 hier profile; should we consider updating the 2.0 hier profile w errata? hal: why 2.0 hier profile requires redundant info, has been cleaned up in 3.0; Errata for 2.0? No explicit process impression is 3.0 profile could be used w 2.0 engine; erik: not exactly because there are some defns for 3.0 hal: bottom line: errata won't fly hal: did start an implementer's guide; -> rich: maybe can resurrect it. Will look into it WrapUp: Next call in 2 weeks: sep 23, same time, phone # Meeting adjourned: 1:40PM
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]