Re: [xacml] Minutes for 7 February 2013 TC Meeting - updated

[David Brossard <david.brossard@axiomatics.com>]

Dear all,

Apologies for missing this meeting. It skipped my mind and by the time I remember it was well too late.

Re. the JSON profile, Steven, I wasn't aware of the ID issue. I got your note re. arrays and that was that. Did I miss another email?

On Fri, Feb 8, 2013 at 12:41 AM, rich levinson <rich.levinson@oracle.com> wrote:

Minutes for 7 February 2013 TC Meeting - updated
 (added link below to ref material on the NIST site
  that describes the Policy Machine in more detail)

Time: 15:00 ET (GMT-0500)
Tel: 513-241-0892
Access Code: 65998

I. Roll Call

Voting Members:
Richard Hill    The Boeing Company
Mohammad Jafari Veterans Health Administration
Steven Legg     ViewDS
Rich Levinson   Oracle
Hal Lockhart    Oracle
Bill Parducci   Individual
Erik Rissanen   Axiomatics
John Tolbert    The Boeing Company

Members:
Robert van Herk Connectis


 Approve Minutes:
  24 January 2013 TC Meeting
  https://lists.oasis-open.org/archives/xacml/201301/msg00030.html

        hal: minutes approved, no obj

II. Adminstrivia

 Conformance Tests v3.0
  https://lists.oasis-open.org/archives/xacml/201301/msg00025.html

    john: email contains a chart for conformance compliance; looking
        for vendors to fill out the yes/no's as to whether support
        is available for the features represented as list of the
        xml elements in the xacml core spec plus a list of the combining
        algorithms in the core spec.

 XACML REST Profile WD-07 uploaded, request for Vote
  https://lists.oasis-open.org/archives/xacml/201301/msg00028.html
  https://lists.oasis-open.org/archives/xacml/201302/msg00006.html

        15 day public review
          john moves
          richard h seconds
          no obj to unanimous

 XACML XSPA Profile WD-01 request for Vote
  https://www.oasis-open.org/apps/org/workgroup/xacml/download.php/47685/Proposed%20draft%20for%20XSPA-XACML%20Obligations%20Profile%20Draft_0.1.doc

   hal: is it 2.0 or 3.0
   mohammad: will require schema support for 3.0, so 2.0 at present
   hal: some other issues on front page
   mohammad: will look at these issues;
   hal: vote deferred until new draft or issues closed; hal will email comments

 XACML v3.0 Published
  https://lists.oasis-open.org/archives/xacml/201301/msg00036.html

   hal: official notification that 3.0 is now published OASIS Standard (OS)
        the email has URLs for obtaining the specs;
   hal: will contact abbie barbir for itut

 XACML Combining Algorithm Profile WD-03 status update:
  30 day Public Review has begun
  https://lists.oasis-open.org/archives/xacml/201301/msg00031.html

  hal: both EC-US and IPC are in 15d pub rev;
        comments? none so far

 XACML EC-US status update:
  15 day Public Review
  https://lists.oasis-open.org/archives/xacml/201302/msg00001.html
 XACML IPC status update:
  15 day Public Review
  https://lists.oasis-open.org/archives/xacml/201302/msg00002.html

  hal: Combining Algorithm Profile WD-03 is in 30d pub rev;
        comments? none so far

 XACML JSON Profile WD-11 uploaded
  https://lists.oasis-open.org/archives/xacml/201302/msg00009.html

   new wd for json profile; wd10->wd11 based on stephen input
   erik attr assign in obl optional
   hal: should look at:

 Policy Machine reference
  The Policy Machine - email ref from prateek mishra

        hal: you have to "buy" specification; anyone know more?
         no replies
        rich: I just checked the site, and there are quite a few direct
         refs to material (free) describing the PM:
          http://csrc.nist.gov/pm/references-library.html

 XACML RSA demo:
   john: boeing ready for tagging part
        stephen posted link
        have been working w nextlabs
        still not all people that are needed
   hal: boeing, oracle, uds, nextlabs were only ones on this wk's call
        only 2 more calls before interop - please send people to
        call so info is rcvd
   hal: oasis will make banner; kmip also put up a banner, company
        logo's connected in box w chains around it. Last year we
        showed components but not logos; open to suggestions to
        give to oasis by next wed.
   hal: slide deck from last yr needs some updates but should be usable;
        respond to email

III. Issues

 JSON Profile
  https://lists.oasis-open.org/archives/xacml/201302/msg00010.html

   stephen: has minor chgs plus one thing on id's but has not heard
         from david yet

 Attributes of Relations
  https://lists.oasis-open.org/archives/xacml/201301/msg00024.html

    hal: should we tackle these 2 issues
    erik: think we are converging on something; perf concern about
        large sets of tuples, stephen said could optimize by
        processing subsets; concern that xacml might be translatable
        to db searches;
    stephen: what should extensions actually look like, mohammad came
        up w sql-like approach; in condition implicitly selects, and
        need diff syntax for joins;
    mohammad: thinks a simple join will work
    stephen: tuple sets soon has duplication within nested context;
        because of that abandoned nested;
    rich: wants to mention that sql not a good representation, should
        be more like attr-val-entity;
    stephen: agrees in general
    mohammad: agrees but when tried to extend hier ran into issues and
        thats when sql emerged.
    rich: will try to elaborate in followup email

 Policy Labeling
  https://lists.oasis-open.org/archives/xacml/201301/msg00022.html

   stephen: still looking into alternatives to admin approach; practical
        necessity to dup admin policies nearly everywhere there is issue
        wrt unsafe policies being integrated w admin policies; reduction
        graphs lead to some perf issues
   erik: fwd chaining doesn't have same problem; top down recursive
        could limit intermediate delegates;
        also issue w np-complete;
   stephen: hasn't found way to deal w malicious policy;
   hal: in old days disc about detecting invalid policies;
   hal: recollection of use cases; large ratio between general pop
         vs admin people; maybe that helps;
   rich: what is issue of ctl
   stephen: sibling admin policy; writer of admin has to anticipate
        places where delegates will be extending, and making
        sure delegates have right authority; only sibling within
        same policy set.
   hal: as opposed to putting admins high in the tree;
   stephen: but hi in tree can't authorize things lower in the tree;
   stephen: one interesting use case is discretionary access ctl, such
        as every owner of resource is authorized, so they can write
        policies for their own resources;
   hal: "can do, can del" was intended to address that; if you are allowed
        to do it, you can delegate it as a policy; originally was in
        admin profile but we moved it to core.
        "can do, can del" is popular access model, implicitly mentioned
        in sections 2.7, 2.9 of core spec.

 Other business:

  hal: next call in 2 weeks 21-Feb-2013

  meeting/call adjourned: 3:51PM 7-Feb-2013




---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

--
David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics