PRELIMINARY FIRST HALF: Minutes: 20010718 F2F #1

["Simon Y. Blackwell" <sblackwell@psoom.com>]

Well folks I'm 2.5 hours in to "formatting" the F2F notes ... I hope to
complete the rest today ... but just so you don't think I'm a laggard, I
figured I'd post what I've got.

Minutes of the XACML Face To Face, July 18th, 2001
Sofitel San Fransisco Bay, Redwood City, California, USA

Summary

Upon query at close most participants were of the opinion the meeting was
productive. The relationship of XACML to digital rights management came up
several times. Use case discussions regarding health care and ebXML were
fruitful, but more work is needed. The importance of distingushing between
"roles" and "groups" was uncovered. After a brief discussion of TREX, there
was a binding vote to use the W3C XML Schema specification for the
specification of XACML. The domain model was discussed in detail. The
importance of "meta policy" to ensure predictable policy behavior across
vendors was uncovered. The importance of a glossary and well defined terms
was evident most of the day, e.g. the general use of the term "query" can
result in confusion since there is a distinction between "querying for an
access decision" and "querying for a policy specification". Clarification of
scope for XACML v1.0 was pursued along with the creation of a calendar of
deliverables and meeting agendas, i.e. August 1st use case submission,
August 9th use case discussion, August 23rd policy model discussion,
September 9th policy model proposals. These were pushed out for vote during
the July 26th conference call due to lack of a quorum in the afternoon.

Raw minutes as authored by Ken Yagen and Gilbert Pilz can be found at
http://lists.oasis-open.org/archives/xacml/200107/msg00033.html.

Action Items

Post MPEG links to list - Dave Parrott (done by Thomas Hardjono)
Explore OASIS/MPEG or ISO co-operation - Simon Blackwell
Start list thread on roles vs. groups - Simon Blackwell (done)
Advise TREX TC of W3C Schema vs TREX decision - Simon Blackwell
Post presentations to list - Dave Parrott, Fred Modes, Suresh Damodaran,
Pierangela Samarati (done)
Discuss calendar on July 26th conference call - All (done)

Details

09:00 Roll Call (Ken Yagen)

9 Voting Members Present 
Ken Yagen, Crosslogix 
Fred Moses, Entitlenet 
Joe Pato, HP (Late)
Gilbert Pilz, Jamcracker 
Jeff Hodges, Oblix 
Simon Blackwell, Psoom
Bill Parducci, Self 
Suresh Damodaran, SterlingCommerce 
Philip Hallam-Baker, Verisign 
Tim Moses, Entrust 

3 Voting Members Via Phone 
Carlisle Adams, Entrust (Voting as of this meeting)
David Parrott, Reuters 
Michiharu Kudoh, IBM

Probationary Members Present
Sandilya Garimella, BEA 
Pierangela Samarati, U.Milan

Observers 
Gary Ellison, Sun Microsystems 
Mohnish Harisiganey, Crosslogix 
Simon Godik, Crosslogix 
Mingde Xu, Crosslogix 
Frank Chum, Psoom 
Merlin Hughes, Baltimore 
 
09:05 Opening Remarks and Agenda Review (Simon Blackwell)

Thanks to Crosslogix (Note: it's cheaper to sponsor than it is to fly to
Texas).
 
Meeting counts towards membership, but not against. Probationary members
meeting membership requirements as a result of attendance today can vote.
Hence, we have a quorum.

09:00-09:15   Roll call & welcome (Simon Blackwell)
09:15-10:00   Reuter's Requirements For DRM (Dave Parrott)
10:00-10:45   Health Care Use Cases (Fred Moses)
10:45-11:00   Break
11:00-11:45   DRM Use Cases (Philip Hallam-Baker/Thomas Hardjono)
11:45-12:30   ebXML Use Cases (Suresh Damodaran)
12:30-13:30   Un-hosted lunch
13:30-14:15   Use Case Session 4 (Open)
14:15-15:00   Domain Model (Gilbert Pilz)
15:00-15:15   Break
15:15-16:00   Entrust Preliminary Proposal (Tim Moses)
16:00-16:45   TBD (Pierangela Samarati), XACL (Michiharu Kudo)
16:45-17:00   Closing Remarks

Agenda accepted with no changes

9:10  Report on Reuter's Requirements For DRM (Dave Parrott)

MPEG-21 is standardizing content protection mechanisms. See Reuter's
Requirements in the document respository
http://www.oasis-open.org/committees/xacml/docs/response-v1.0-public.doc and
the presentation in the list archives
http://lists.oasis-open.org/archives/xacml/200107/msg00026.html.

Dave Parrott clarified "obligations" as a result of questions. "Obligations"
are conditions on access. They may be the set of circumstances required to
allow access or the set of circumstances required post access, e.g. You must
include my branding info when you display this data. "Obligations" imply no
sense of temporal ordering. Obligations could have been distinguished by
name between pre-conditions that must be satisfied to obtain access and
post-conditions that must be satisfied after access has been granted, but
they weren't.
esented, "Obligations" imply no sense of temporal ordering.
 
A general discussion of the nature of MPEG ensued. MPEG-21s boundaries like
that of other work, e.g. XKMS, are not yet well defined. MPEG is part of ISO
so their activities are bounded by ISO. It is very formal and very active.
It meets four times per year, plus has a large number of ad hoc meetings.
Currently there is MPEG-4, MPEG-7, and MPEG-21. Requirements are solicited
from the members, a request for proposal is released and final features are
cherry picked. No formal membership relationship between MPEG and OASIS due
to ISO membership requirements.

This was folled by a discussion of how to co-operate with MPEG. It was
suggested we submit XACML for consideration as part of the standard. Some
general uneasniess was expressed due to the size and formal nature of MPEG.
Simon Blackwell said he would pursue how OASIS can co-operate with ISO/MPEG
through OASIS management. Dave Parrott said he would post to the list links
to MPEG-21 requirements when they are officially published.

A discussion of whether or not DRM is in scope ensued and was tabled in the
interest of time.

10:04 Health Care Use Cases (Fred Moses)

Slides available at
http://lists.oasis-open.org/archives/xacml/200107/msg00050.html. (The link
in the document archives is currently broken).

Simon Blackwell made a point about how important medical work is. The Health
Insurance Portability And Accountability Act has a lot of security
provisions and is estimated to cause a $25,000,000,000 re-write of existing
systems.

A general discussion ensued regarding the "broken" nature of HL7s current
security. This included discussion of the need for/problems with global
identifiers. P3P also came up. Simon Blackwell pointed out that P3P is about
publishers saying what they will do with information that is collected, it
is not about enforcement of data subject preferences after data is
collected.

Discusion with respect to specific slides led to these further comments:

- The fact that the HIV test occurred at all, not just its result, is a
piece of information that needs to be protected.
- The frequency and type of authorization attempts is information that needs
to be captured and monitored.
- The European Privacy guide speaks a lot about intent. Its not simply a
matter of what you did, but what you intended to do.  
(Post Meeting Notes Enhancement: See
http://sansone.crema.unimi.it/~samarati/Papers/sec01.ps in which Pierangela
Samarati discusses the issue of intent.)
- Unless rules follow the data when the restrictions are overridden there is
no way for the entity that obtained the data to comply with the
restrictions. This brings us back to work that has been done in the DRM
space.

A broader discussion about whether "overrides" should be handled with the
Authorization Model or whether they should be considered to be out-of-band
and not covered in the Authorization Model ensued. Gilber Pilz pointed out
that overrides are just "higher order" rules that contain exceptions that
reference other rules.

Bill Parducci asked if we need to worry about nested sub-access schemes
where, for instance, the billing personnel have access to one level of
information and they, in turn, grant rights to the mailing personnel for an
even smaller subset of the information. Simon Blackwell pointed out this
brings us back to the DRM space again with the "re-publish rights" problem.

This lead to discussion of whether we specify the kinds of rights and types
of contexts parameters available or do we leave this open. Consensus
appeared to be that we layer our specification and provide some general
common set of rights but provide for its extension. SAML is doing something
similar with URIs.

10:48 AM Break 

11:04 AM Health Care Use Cases (continued)

A brief discussion of how to co-ordinate with HL7 ensued with no definitive
result. Anyone can join HL7 and they have a very active security contingent.

11:07 DRM Use Cases (Philip Hallam-Baker)

Philip Hallam-Baker was not prepared to discuss this topic as a result of a
communication error on the part of the chair, Simon Blackwell, prior to the
meeting. He did comment that "DRM is completely wrong. Instead of trying to
protect content they should concentrate on payment." A brief discussion of
the concept "DRM" ensued, wherein it was pointed out that Reuter's also
finds the term somewhat misleading since it should be be called "digital
rights enforcement."

11:09 AM ebXML Use Cases (Suresh Damodaran)

There were not slides. A document was circulated and is now available in the
repository at
http://www.oasis-open.org/committees/xacml/docs/Registry-Usecase-report.doc.

Gilbert Pilz asked for clarification on the difference between Role and
Group. Several opinions were voiced. 
Roles are attributes of a Principal. Groups are collections of Principals
(Suresh). There is no real semantic distinction between Roles and Groups
(Phillip Hallam-Baker). Groups are sets of users. Roles are sets of
privileges. Roles can be activiated dynamically. A user can choose to take
on a Role whereas they cannot choose to be or not be a member of a Group
(Pierangela Samarati). There was agreement to continue the discussion on the
list and ensure that we remain consistent with SAML.

Gilber Pilz asked "How do you know whether a particular method requires
"read" or "write" access/permission?" Suresh Damodaran responded that "read"
means the "read method", "write" means the "write method". This presupposes
that all objects implement methods called "read" and "write". This evolved
into a somewhat confusing discussion that resulted from a lack of
distinction in language between what ebXML supports for providing access
controls on adding, modifying, or deleting entries in the registry versus
access control on the execution of processes defined by entries in the
registry. Gilbert Pilz pointed out that CORBA solves the later by providing
another level of indirection that relates the rights required to execute a
given method. However, it became clear that the use cases under discussion
relate to the former, i.e. access control on using the registry itself.

Philip Hallam-Baker pointed out the need for an administration used case,
i.e. how does one administer policies. This resulted in a discussion of
"policies about policy access". Gilbert Pilze pointed out this could create
an infinite recursion. Consensus was reached that some "root" access control
policy needs to be defined to prevent this. Suresh Damodaran pointed out
this is part of the means by which ebXML registries can boostrap themselves.

12:03 PM  Agenda Bashing (Simon Blackwell)

Jeff Hodges: Wishes to talk about RFC 3060. 
Sandilya: How does XACML apply to Web Services? 
Phil: Two questions: Will XACML be specified as a Web Service? Can XACML be
used to protect Web Services? 
Tim Moses: At some point we have to get down to the specifics about the work
to be done. 
Simon: I had hoped the sub-committees would self-define this work. However,
this has not happened, so we should start to define the work items. 

A comment by Simon Blackwell "How does our work relate to the other work at
OASIS? TREX et. al. We will have to decide about how we wish to represent
our schema, DTD's, TREX, XML Schema," lead to a short discussion regarding
this topic. It was pointed ou that SAML uses W3C XML Schema and Trex is no
where near a standard yet. After this there was a vote that carried with no
abstentions or objections to adopt the W3C XML Schema specification for
XACML use. Simon Blackwell said he would notify the TREX TC.

Suresh: Would like to discuss RFC 2906. 
Suresh: Would like to go over the use cases and see if we can pull out any
common themes. 

12:20 PM Lunch