[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Minutes of the XACML Face To Face, 2001-07-18
Here are the complete minutes. My thanks again to all that participated. Review these and you will see we covered a huge amount of ground for one day. I think we'll need two days for the next face-to-face. We missed some valuable stuff from Pierangela and Michiharu due to the time squeeze at the end. ---------------------------------------------------------------------------- --------------- Minutes of the XACML Face To Face, July 18th, 2001 Sofitel San Francisco Bay, Redwood City, California, USA Summary Upon query at close most participants were of the opinion the meeting was productive. The relationship of XACML to digital rights management came up several times. Use case discussions regarding health care and ebXML were fruitful, but more work is needed. The importance of distinguishing between "roles" and "groups" was uncovered. After a brief discussion of TREX, there was a binding vote to use the W3C XML Schema specification for the specification of XACML. The domain model was discussed in detail. The importance of "meta policy" to ensure predictable policy behavior across vendors was uncovered. The importance of a glossary and well defined terms was evident most of the day, e.g. the general use of the term "query" can result in confusion since there is a distinction between "querying for an access decision" and "querying for a policy specification". Clarification of scope for XACML v1.0 was pursued along with the creation of a calendar of deliverables and meeting agendas, i.e. August 1st use case submission, August 9th use case discussion, August 23rd policy model discussion, September 9th policy model proposals. These were pushed out for vote during the July 26th conference call due to lack of a quorum in the afternoon. Discussion was also initiated regarding plans for the next face to face. Further discussion was scheduled for the next conference call. Raw minutes as authored by Ken Yagen and Gilbert Pilz can be found at http://lists.oasis-open.org/archives/xacml/200107/msg00033.html. Action Items Post MPEG links to list - Dave Parrott (done by Thomas Hardjono) Explore OASIS/MPEG or ISO co-operation - Simon Blackwell Start list thread on roles vs. groups - Simon Blackwell (done) Advise TREX TC of W3C Schema vs. TREX decision - Simon Blackwell Post presentations to list - Dave Parrott, Fred Modes, Suresh Damodaran, Pierangela Samarati (done) Post 3060 issues from co-author to list - Jeff Hodges Look into admin use cases - Suresh Damodaran and Gilbert Pilz Consolidate policy model info - Simon Blackwell (I have enlisted Ernesto to support me in this) Discuss calendar on July 26th conference call - All (done) Details 09:00 Roll Call (Ken Yagen) 9 Voting Members Present Ken Yagen, Crosslogix Fred Moses, Entitlenet Joe Pato, HP (Late) Gilbert Pilz, Jamcracker Jeff Hodges, Oblix Simon Blackwell, Psoom Bill Parducci, Self Suresh Damodaran, SterlingCommerce Philip Hallam-Baker, Verisign Tim Moses, Entrust 3 Voting Members Via Phone Carlisle Adams, Entrust (Voting as of this meeting) David Parrott, Reuters Michiharu Kudoh, IBM Probationary Members Present Sandilya Garimella, BEA Pierangela Samarati, U.Milan Observers Gary Ellison, Sun Microsystems Mohnish Harisiganey, Crosslogix Simon Godik, Crosslogix Mingde Xu, Crosslogix Frank Chum, Psoom Merlin Hughes, Baltimore 09:05 Opening Remarks and Agenda Review (Simon Blackwell) Thanks to Crosslogix (Note: it's cheaper to sponsor than it is to fly to Texas). Meeting counts towards membership, but not against. Probationary members meeting membership requirements as a result of attendance today can vote. Hence, we have a quorum. 09:00-09:15 Roll call & welcome (Simon Blackwell) 09:15-10:00 Reuter's Requirements For DRM (Dave Parrott) 10:00-10:45 Health Care Use Cases (Fred Moses) 10:45-11:00 Break 11:00-11:45 DRM Use Cases (Philip Hallam-Baker/Thomas Hardjono) 11:45-12:30 ebXML Use Cases (Suresh Damodaran) 12:30-13:30 Un-hosted lunch 13:30-14:15 Use Case Session 4 (Open) 14:15-15:00 Domain Model (Gilbert Pilz) 15:00-15:15 Break 15:15-16:00 Entrust Preliminary Proposal (Tim Moses) 16:00-16:45 TBD (Pierangela Samarati), XACL (Michiharu Kudo) 16:45-17:00 Closing Remarks Agenda accepted with no changes 9:10 Report on Reuter's Requirements For DRM (Dave Parrott) MPEG-21 is standardizing content protection mechanisms. See Reuter's Requirements in the document repository http://www.oasis-open.org/committees/xacml/docs/response-v1.0-public.doc and the presentation in the list archives http://lists.oasis-open.org/archives/xacml/200107/msg00026.html. Dave Parrott clarified "obligations" as a result of questions. "Obligations" are conditions on access. They may be the set of circumstances required to allow access or the set of circumstances required post access, e.g. You must include my branding info when you display this data. "Obligations" imply no sense of temporal ordering. Obligations could have been distinguished by name between pre-conditions that must be satisfied to obtain access and post-conditions that must be satisfied after access has been granted, but they weren't. A general discussion of the nature of MPEG ensued. MPEG-21s boundaries like that of other work, e.g. XKMS, are not yet well defined. MPEG is part of ISO so their activities are bounded by ISO. It is very formal and very active. It meets four times per year, plus has a large number of ad hoc meetings. Currently there is MPEG-4, MPEG-7, and MPEG-21. Requirements are solicited from the members, a request for proposal is released and final features are cherry picked. No formal membership relationship between MPEG and OASIS due to ISO membership requirements. This was followed by a discussion of how to co-operate with MPEG. It was suggested we submit XACML for consideration as part of the standard. Some general uneasiness was expressed due to the size and formal nature of MPEG. Simon Blackwell said he would pursue how OASIS can co-operate with ISO/MPEG through OASIS management. Dave Parrott said he would post to the list links to MPEG-21 requirements when they are officially published. A discussion of whether or not DRM is in scope ensued and was tabled in the interest of time. 10:04 Health Care Use Cases (Fred Moses) Slides available at http://lists.oasis-open.org/archives/xacml/200107/msg00050.html. (The link in the document archives is currently broken). Simon Blackwell made a point about how important medical work is. The Health Insurance Portability And Accountability Act has a lot of security provisions and is estimated to cause a $25,000,000,000 re-write of existing systems. A general discussion ensued regarding the "broken" nature of HL7s current security. This included discussion of the need for/problems with global identifiers. P3P also came up. Simon Blackwell pointed out that P3P is about publishers saying what they will do with information that is collected, it is not about enforcement of data subject preferences after data is collected. Discussion with respect to specific slides led to these further comments: - The fact that the HIV test occurred at all, not just its result, is a piece of information that needs to be protected. - The frequency and type of authorization attempts is information that needs to be captured and monitored. - The European Privacy guide speaks a lot about intent. Its not simply a matter of what you did, but what you intended to do. (Post Meeting Notes Enhancement: See http://sansone.crema.unimi.it/~samarati/Papers/sec01.ps in which Pierangela Samarati discusses the issue of intent.) - Unless rules follow the data when the restrictions are overridden there is no way for the entity that obtained the data to comply with the restrictions. This brings us back to work that has been done in the DRM space. A broader discussion about whether "overrides" should be handled with the Authorization Model or whether they should be considered to be out-of-band and not covered in the Authorization Model ensued. Gilbert Pilz pointed out that overrides are just "higher order" rules that contain exceptions that reference other rules. Bill Parducci asked if we need to worry about nested sub-access schemes where, for instance, the billing personnel have access to one level of information and they, in turn, grant rights to the mailing personnel for an even smaller subset of the information. Simon Blackwell pointed out this brings us back to the DRM space again with the "re-publish rights" problem. This lead to discussion of whether we specify the kinds of rights and types of contexts parameters available or do we leave this open. Consensus appeared to be that we layer our specification and provide some general common set of rights but provide for its extension. SAML is doing something similar with URIs. Simon Blackwell also introduced the issue of intent, not just the role of person - what do they intend to do? Although intent may be something that can't be effectively managed at a PEP, audit and logging info can be used for post actions. 10:48 AM Break 11:04 Health Care Use Cases (continued) A brief discussion of how to co-ordinate with HL7 ensued with no definitive result. Anyone can join HL7 and they have a very active security contingent. 11:07 DRM Use Cases (Philip Hallam-Baker) Philip Hallam-Baker was not prepared to discuss this topic as a result of a communication error on the part of the chair, Simon Blackwell, prior to the meeting. He did comment that "DRM is completely wrong. Instead of trying to protect content they should concentrate on payment." A brief discussion of the concept "DRM" ensued, wherein it was pointed out that Reuter's also finds the term somewhat misleading since it should be called "digital rights enforcement." 11:09 ebXML Use Cases (Suresh Damodaran) There were not slides. A document was circulated and is now available in the repository at http://www.oasis-open.org/committees/xacml/docs/Registry-Usecase-report.doc. Gilbert Pilz asked for clarification on the difference between Role and Group. Several opinions were voiced. Roles are attributes of a Principal. Groups are collections of Principals (Suresh). There is no real semantic distinction between Roles and Groups (Phillip Hallam-Baker). Groups are sets of users. Roles are sets of privileges. Roles can be activated dynamically. A user can choose to take on a Role whereas they cannot choose to be or not be a member of a Group (Pierangela Samarati). There was agreement to continue the discussion on the list and ensure that we remain consistent with SAML. Gilbert Pilz asked "How do you know whether a particular method requires "read" or "write" access/permission?" Suresh Damodaran responded that "read" means the "read method", "write" means the "write method". This presupposes that all objects implement methods called "read" and "write". This evolved into a somewhat confusing discussion that resulted from a lack of distinction in language between what ebXML supports for providing access controls on adding, modifying, or deleting entries in the registry versus access control on the execution of processes defined by entries in the registry. Gilbert Pilz pointed out that CORBA solves the later by providing another level of indirection that relates the rights required to execute a given method. However, it became clear that the use cases under discussion relate to the former, i.e. access control on using the registry itself. Philip Hallam-Baker pointed out the need for an administration used case, i.e. how does one administer policies. This resulted in a discussion of "policies about policy access". Gilbert Pilz pointed out this could create an infinite recursion. Consensus was reached that some "root" access control policy needs to be defined to prevent this. Suresh Damodaran pointed out this is part of the means by which ebXML registries can bootstrap themselves. 12:03 Agenda Bashing (Simon Blackwell) Jeff Hodges: Wishes to talk about RFC 3060. Sandilya: How does XACML apply to Web Services? Phil: Two questions: Will XACML be specified as a Web Service? Can XACML be used to protect Web Services? Tim Moses: At some point we have to get down to the specifics about the work to be done. Simon: I had hoped the sub-committees would self-define this work. However, this has not happened, so we should start to define the work items. A comment by Simon Blackwell "How does our work relate to the other work at OASIS? TREX et. al. We will have to decide about how we wish to represent our schema, DTD's, TREX, XML Schema," lead to a short discussion regarding this topic. It was pointed out that SAML uses W3C XML Schema and TREX is no where near a standard yet. After this there was a vote that carried with no abstentions or objections to adopt the W3C XML Schema specification for XACML use. Simon Blackwell said he would notify the TREX TC. Suresh: Would like to discuss RFC 2906. Suresh: Would like to go over the use cases and see if we can pull out any common themes. 12:20 Lunch 13:45 Domain Model (Gilbert Pilz) The current domain model is located at Initial discussion focused on clarifying what is in or out of scope. Policy Information Point (Environment Authority) should be out of scope. Policy Retrieval Point may be in scope from a protocol perspective since it actually stores policies, e.g. stuff represented by XACML. PRP is defined in RFC2904. A separate topic of import, although more related to policy representation directly than a domain model, came up. Will SAML support more than a yes/no decision from a PDP. The current thought is that it will only support yes/no. This lead to a more detailed discussion of the scope for XACML v1.0, i.e. should it be constrained to the definition of just a grammar. There seemed to be consensus that it should, but no vote could be taken due to lack of quorum in the afternoon. Surrounding this was a discussion of querying a PDP that got quite confusing given different uses for the term query. This was resolved when it was made clear that there are at least these two alternatives: "querying for an access decision" and "querying for a policy specification". The question also arose as to whether we should define a means to manipulate policies. Consensus was that existing tools, i.e. XPath, XSLT, are adequate. Next, Simon Godik brought up the issue of determinism, i.e. the same set of policies interpreted by two vendor implementations may have different results. Although there was some initial disagreement about how to avoid this, consensus was that this needs to be avoided to promote interoperability and standards acceptance. An extended conversation about "meta policies" then ensued. Gilbert Pilz proposed slight modifications to the domain model that made explicit the concepts of evaluation engine and meta-policy. Jeff Hodges proposed that at a minimum we specify one meta-policy that is a must implement part of the specification. He also pointed out that the Ponder language makes use of meta-policy. The conversation continued for some time with discussions about types of meta-policies and strategies for incorporating them into XACML. This lead back to XACML v1.0 scope discussions. The chair had to call the conversation to a close in the interest of time since the meeting was now running late. The topic was tabled for discussion during the next conference call with a summary proposal that XACML v1.0 focus on "Creation of a policy expression language based on a formal model that which when evaluated in the context of a specific metapolicy will be deterministic. We will at least define 1 metapolicy that is mandatory to implement." . 15:20 Entrust Preliminary Proposal (Tim Moses) The proposal can be found at http://www.oasis-open.org/committees/xacml/docs/xacmlprop.doc. Tim Moses - Entrust Presentation based on early standards work in 1994-95. Specific comparisons made to and mechanisms provided for moving beyond the subject,object,action triple. These include considering attributes of the subject at runtime within the policy, i.e. free variables; resource sensitivity ala military object partitioning, comparing properties of subject and objects or even subjects relative to other subjects. Much of the attribute oriented information can be mapped back to SAML work and various attribute authorities in the domain model. In was noted that the logical expressions within the language are somewhat limited, e.g. there is a lessOrEqual but no greatThan. Tim Moses pointed out that they are logically complete and could easily be extended. It was also noted that several XML specifications are in need of logical expressions and Simon Blackwell asked if anyone new of specification work focused just on logical expressions. Simon Godik asked if the Entrust proposal is the only one on the table? Simon Blackwell said it is but that he asked for proposals and models some time ago. Everyone is free to submit their proposals to the list. There has been no formal process for adoption defined yet. Tim Moses pointed out we need a process to take a base proposal, test it against our requirements and extend as necessary. How do we proceed? Due to time constraints this topic was not pursued. 15:50 Lessons Learned from Twelve Years in Authorization Research (Pierangela Samarati) A large number of references from Pierangela Samarati can be found at http://www.oasis-open.org/committees/xacml/docs/docs.shtml. The group was becoming increasingly pressed for time. Pierangela had a large amount of research to present and ran through it very quickly. The reader of these notes is encouraged to review the references above since many diagrams and formulas were extracted directly from them. Many issues related to policy conflict resolution were addressed at both a theoretic/algebraic and visual/practical level. IP addresses showed up as an intrinsic part of one mechanism, which was a point of concern since they are unreliable for security purposes. However, it was pointed out that user's do implement policy with them and do expect them to be present and we do need to pay attention to satisfy users. It was noted that much of the work is represented in logic languages and therefore somewhat un-approachable by users and would take a long time to develop into a specification. Ernest Damiania, a peer of Pierangela, granted the need for an XACML v1.0 that is approachable, but reserved that the ability to do formal proofs in the future could be valuable. There seemed to be some consensus on this. Simon had to close of conversation in the interest of time. 16:23 RFC3060 (Jeff Hodges) RFC3030 can be found at http://www.ietf.org/rfc/rfc3060.txt. Jeff Hodges prefaced his comments by saying we need to derive our language from a model that can be accurately described. We should first produce the model using a modeling language. He commented that although 3060 is not perfect and is probably not the model we want to use, it is a good example and contains lots of useful information. He noted that one of the co-authors of 3060 has some significant problems with the model. He said he would look into getting these posted to the list. Simon Blackwell asked that Pierangela provide references to existing work given her extensive background. This led to a discussion of schedules for deliverables for review and conference call agendas, i.e. 1. All policy model references to be submitted to the list by 2001-07-25. (Note, this was revised to 2001-08-01 on the July 26th conference call) 2. Concall on 2001-07-26 to cover schedule issues 3. All use case proposals to be submitted to the list by 2001-08-01 4. Concall on 2001-08-09 to cover use cases 5. Concall on 2001-08-23 to cover policy models 6. Policy model proposals due 2001-09-06 16:44 PM XACL, XML Access Control Language (Michiharu Kudo) Michiharu's slides can be found at http://www.oasis-open.org/committees/xacml/docs/XACL.zip. XACL info can also be found at http://www.trl.ibm.com/projects/xml/xacl/index.htm and http://alphaworks.ibm.com/tech/xmlsecuritysuite. XACL uses the fairly standard triplet (subject, object, action) plus adds the of "provisional actions", functions that need to be executed when the right granted by the policy is executed. He suggested that XACML should at a minimum provide support for policy representations using the "standard" approach without requiring additional functionality. 17:15 Meeting adjourned ------------------------------------------------------------------ To unsubscribe from this elist send a message with the single word "unsubscribe" in the body to: xacml-request@lists.oasis-open.org Simon Y. Blackwell CTO Psoom, Inc. Voice & Fax: 415-762-9787
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC