[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes for 31 March 2016 TC Meeting
*** Special meeting w Guest Speaker, Bill Fisher, from NCCoE *** Note: the planned discussion topics related to this presentation will be continued @ next tc mtg on Apr 14. Time: 4:30 PM EDT (-0400 GMT) Tel: 1-712-775-7031 Access Code: 620-103-760 Minutes for 31 March 2016 TC Meeting I. Roll Call & Minutes Voting Members Mohammad Jafari Veterans Health Administration Steven Legg ViewDS Identity Solutions Rich Levinson Oracle Hal Lockhart Oracle Martin Smith Individual John Tolbert Queralt, Inc. Voting Members: 6 of 9 (67%) (used for quorum calculation) Members David Brossard Axiomatics John Davis Veterans Health Administration Gerry Gebel Axiomatics Crystal Hayes The Boeing Company Guests Bill Fisher NCCoE (NIST) Sudhi Umarji NCCoE (NIST) special presentation and discussion: National Cybersecurity Center of Excellence Approve Minutes 17 March 2016 https://lists.oasis-open.org/archives/xacml/201603/msg00006.html hal: approved unanimously, no objections heard II. AdministriviaGuest Speaker from NCCoE for Thursday's meeting
https://lists.oasis-open.org/archives/xacml/201603/msg00007.html This meeting, Thursday, March 31 was dedicated to a presentation by Bill Fisher of the National Cybersecurity Center of Excellence, followed by discussion. In addition to answering any questions, Bill would like our input on what the NCCoE should be doing in regard to XACML and ABAC. (This item can be picked up a continuation next mtg) Below are notes I took during pres/mtg: mostly focused on items not directly, or only partially, included in the slides Bill Fisher presentation on gotomeeting: webex pres: https://global.gotomeeting.com/join/233296133 link to actual presentation document on oasis (need oasis member creds to access): https://www.oasis-open.org/apps/org/workgroup/xacml/download.php/57854/NCCoE%20OASIS%20TC%20Presentation.pptx ACD: Applied Cyber-security Division 800 series docs produced by other division, ACD demo's solns using those specifications looking at private sector security issues and practices use case project: in collaboration w us economic sector vertical, ex. financial sector - specific use cases building block project: driven by technology, not a specific sector necessarily; 65% soln; 35% custom; described overall project process: collaborating w contributors, etc. actually build the project in the NCCoE lab w the contributors 5 howto guides have been published: all in draft version it-health and energy guides close to finalization Personal Identity Verification smart cards PIV (govt uses, and has x509 cert on device); how to leverage piv cards w mobile? using derived creds; 800-157 has overview of soln: hal: tc provided feedback on abac discussion bill: cisco device-attrs that can be pulled for attr-based policy decisions internal debating whether to put out for more comments looking @ 2nd build w different architecture compared to existing impl. doing mkt research on what tech is available: additional barriers for adoption; policy creation; access strategies: risk relevant attrs martin: federation of attrs; bill: 1st build is "attr federation": all env attrs from idp, can have multiple attr providers, then federate them identity federation and abac together because it had been recommended; looking at issues w cloud providers; not seen swaas that allows external using cloud security brokers: also haven't seen "abac + big data" questions about integration w bigdatabases 1st build abac + identity fed 2nd builds: not committing to fed again. rich: so basically going to do abac w/o fed (single security domain), and analyze w/o additional complexity from federation, which is essentially an "after the fact integration of attrs" from different security domains. hal: time to get on to additional discussion items: either extend mtg or continue @ next xacml tc mtg; martin: scoped question: reference impl to use for partner endpoint testing? is that kind of thing NCCoE can do? bill: probably not, because the charter of the org is to put together ref impls, but not commit to standing those up as integration/certification modules; hal: forgerock has opensource, also apache is in process of doing OpenAz sudhi: conformance testing facilities? hal: currently very limited in xacml; there is conformance test suite, but primarily been used by pdp implementers as opposed to user-oriented hal: discussion will continue next mtg: apr 14 meeting adjourned: 5:37 PM EDT Possible post-presentation discussion topics For Thursday: Broader Technology Participation in NCCoE: hal https://lists.oasis-open.org/archives/xacml/201603/msg00008.html The Attribute Problem https://lists.oasis-open.org/archives/xacml/201603/msg00009.html ABAC Performance https://lists.oasis-open.org/archives/xacml/201603/msg00010.html Policy Authoring https://lists.oasis-open.org/archives/xacml/201603/msg00014.html https://lists.oasis-open.org/archives/xacml/201603/msg00012.html https://lists.oasis-open.org/archives/xacml/201603/msg00011.html Policy Audit https://lists.oasis-open.org/archives/xacml/201603/msg00013.html XACML and OAuth https://lists.oasis-open.org/archives/xacml/201603/msg00015.html ABAC and big data https://lists.oasis-open.org/archives/xacml/201603/msg00017.html https://lists.oasis-open.org/archives/xacml/201603/msg00016.html III. Issues Potential topics for introductory articles about XACML (discussed @last mtg: list of topics is attached to the email) https://lists.oasis-open.org/archives/xacml/201603/msg00004.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]