Minutes 11 June 2015 TC Meeting

[Bill Parducci <bill@parducci.net>]

Minutes of XACML TC Meeting 28 May 2015

I. Roll Call
  Attendees
   Crystal Hayes
   Richard Hill
   Steven Legg
   Rich Levinson
   Hal Lockhart (Co-Chair)
   Bill Parducci (Co-Chair)
   Remon Sinnema
   Martin Smith
   John Tolbert

  Quorum achieved (90% per Kavi)

  Approval of Minutes
   Vote on approval of 28 May 2015 TC meeting minutes
   APPROVED: UNANIMOUS CONSENT

II. Administrivia
  New OASIS Discussion List: IAM Framework TC
   Hal:
    [Provided a review of  discussion list mechanics.] In this case it centers 
    on exploring consistent Identity Management across implementations.
   Rich:
    In reading the email I was not available to get a good feel for the topic,
    however I was able to find some archived documents that provided a good
    overview.
   Martin:
    There is a list archive active now with comments and attachments that have
    draft submissions as well as a summary from the original conference call. 
   John:
    This seems like a great way to encourage the adoption of ABAC based
    security.
  Martin:
    There are a numbers of levels of complexity associated with a variety of
    business use cases. The goal is to provide a framework by which potential
    users can map the appropriate solution onto their needs, thereby lowering
    perceived risk to implementation.
   Hal:
    There are ways to handle this now technically, however there are many ideas
    being introduced constantly so it seems like this effort should carefully
    consider its boundaries early on to avoid being too ambitious.
   Richard:
    What are the planned next steps?
   Martin:
    Probably have a second conference call to review the next draft proposal.
    Timing information will be posted to the discussion list. I will ask Oasis 
    (Chet) if a broader announcement is possible.

  XACML v3.0 Related and Nested Entities Profile Version 1.0
   Hal:
    Steven has posted an updated version. Per the note these are editorial only.
   Steven:
    There is an issue with Attribute functionality that is not addressed in the
    Core specification regarding how responses are handled when the
    AttributeCategory has no element matching the request. There are two
    possible solutions: return NULL or bulle up an Indeterminate. I will send an
    email to the list to initiate discussion on how to handle this.
   Hal:
    Historically we do what the Xpath spec says and XACML proceeds from there. 
   Steven:
    In this case we reach this before the XPath expression is invoked.
   Martin:
    I reviewed this and was wondering where does the data come from?
   Steven:
    This would be issued from the PIP. In practical terms, this is likely some
    sort of database. 
   Martin:
    Yes, but in real terms the PIP is a virtual construct. Have you considered 
    how to explicitly collect the data?
   Hal:
    This is a common issue, not limited to this Profile.
   Martin:
    Right. Practically speaking this would come from corporate directory of some
    sort, etc.
   Hal:
    In the OpenAZ project we have discussed the sources of Attribute Retreiver
    and the list has been quite short. LDAP, ActiveDirectory, etc. however how 
    this is dealt with consistently is still very much in flux.
   Rich:
    The scope of Attributes realistically is defined by the Policies. The
    information source is logically determined a priori to Policy editing being
    made available.
   Martin:
    Agree. I was wondering if there were some common assumptions made in this
    area.
   Revised version posted:
    https://lists.oasis-open.org/archives/xacml/201506/msg00001.html
   Description of chgs to the new version:
    https://lists.oasis-open.org/archives/xacml/201506/msg00002.html

III. Issues
  No new issues introduced on list