[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] XACML November 15, 2001 Minutes
XACML Conference CallDate: Thursday, November 15, 2001 Time: 10:00 AM EST Tel: 512-225-3050 Access Code: 65998 Minutes of Meeting SummaryWe briefly discussed the policy subcommittee work description to see if there were any questions for Pierangela. Then Pierangela reported on the progress of the PM subcommittee. Progress has been made on characterizing principal and resource. Decision was made to have specific and sufficient conditions rather than negative authorizations and Pierangela described these (will follow up by posting to the list more information). It was also mentioned that Simon had proposed semantics to define types of actions allowed on a resource and this is being discussed. Another issue is whether to use Xpath to extract information from SAML assertions – specifically if the operators defined in it are sufficient and necessary for what XACML needs. Next the Face to Face was discussed and Jan 23-24 or 24-25 was tentatively agreed to. Bill and Ken are looking for a location to hold it in California. The last topic was to decide how we will interpret the Oasis requirement of 3 members using the specification. Some agreement was made and Carlisle and Bill summarized it. Carlisle will follow up with a submission to the list that we can vote on at the next call. Action Items
Issue List Candidates
VotesMinutes from 11/1 meeting accepted Raw Minutes (taken by Ken Yagen) Proposed Agenda: 10:00-10:10 Roll Call and Agenda Review 10:10-10:15 Vote to accept minutes of November 1 meeting http://lists.oasis-open.org/archives/xacml/200111/msg00003.html 10:15-10:20 Administrative Items (e-mail voting; non-TC member access to mail list) 10:20-10:25 Discussion of Policy Model work description http://www.oasis-open.org/committees/xacml/sc-model.shtml 10:25-10:35 Report of Policy Model Sub-Committee 10:35-10:40 Report of other sub-committees (conformance, IP, security & privacy considerations) 10:40-10:50 Discussion of next Face-to-Face (U.S. West coast, sometime in January) 10:50-11:00 Discussion of proposed Schedule and Milestones (in particular, draft spec by Dec. 1) 10:05 Attendance Voting Members Ken Yagen, Crosslogix Hal Lockhart, Entegrity Fred Moses, Self Carlisle Adams, Entrust Jason Rouault, HP Michiharu Kudoh, IBM Bill Parducci, Self Suresh Damodaran, Sterling Commerce Pierangela Samarati, University of Milan Prospective Members James MacLean, Affinitex Ernesto Damiani, University of Milan 10:09 Administrative Issues Carlisle brought up that Karl Best questioned if we allow email voting and access to mailing list by non-tc members. Both were voted on at previous meetings and are allowed and are posted on the website under membership. 10:12 Motion to accept minutes of meeting of 11/1 voted and accepted 10:12 Discussion of Policy Model work description Charter was accepted at last call but Carlisle asked if any questions would like to raise for Pierangela Carlisle – question about 3 layers of language – are they separate work items or specs Pierangela - Allows you to work separately on different phases but all part of the same work item 10:15 Report on 11/12 PM Call Pierangela - Discussion of semantics and syntax of language, formats of the rules. Completed characterization of principal expression. Should also be done with format of resource, Went on to discuss action expression and condition. 2-3 changes to glossary – notion of pre and post conditions. Rule has different parts: principal, resource, action, conditions to satisfy, and post-conditions. Pos and neg authorization. Agreed to take a look at this. Instead, 2 kinds of rules. One with specific conditions for access granted and another with sufficient conditions. Specific must be granted or else it will be denied. Asked for written example on list – Pierangela will post paper with pointer to partHal – also defined an AND and OR. Pierangela – won’t have to put AND condition for a required condition in every rule (ie and committee member,…) Less complex to manage than with negative authorization rule. Hal – this seems to interact with a number of other things, including conflict resolution step. Would like to look at whole thing. Ernesto - Was proposal by Simon to introduce semantics about type of action allowed on a resource type. We said we will look into standards and decide if want to define something. Check whether given action is relevant to a given source. Hal – private name spaces maybe to define this. More an issue of policy creation time Ernesto - Small issue – agreed XPath technique to extract info from SAML assertions, but standard form last expressive power like in operator to verify given assertion in any of node paths. Ernesto said would look into extension of XPath used in XQuery. Carlisle – did look at the document for xpath/xquery and it is much richer than what we need for XACML. Don’t know if more valuable to profile it and define what we need or define our own operators. Ernesto – value of XPath standard, is you require future iterations to use XPATH that is already defined. Otherwise, implementation may be more work. Carlisle - agree with using it to locate assertions, but question pulling operators from it. 10:33 Other subcommittees Conformance – Tim IP Security, Privacy – Joe Both not present on call but don’t think anything done 10:34 Next F2F Not enough people committed to justify a meeting Current plan is to schedule for early next year – January. Offer from U Milan to host at any time. Propose January on the West Coast. Ken – can look what is available in bay area. Carlisle – what weeks are bad? Ernesto – earlier the better but not first week RSA in February (18-22). OMG is Jan 28 in Anaheim Michiharu – before 1/21 cannot attend but after, can Pencil in 23rd – 25th Bill will look into LA. Most 15 people Ken – maybe another meeting at RSA conference 2/18-2/22. More important to get everyone at January meeting 10:41 Scheduling Draft standard slated for December 1. Ernesto – probably a bit optimistic Hal – once circulated some other dates via email. 2/14 Draft proposed at last call and in the minutes Ernesto – that sounds reasonable Michiharu to pull from 11/1 minutes and post to website. Other issues to discuss Ernesto – reference implementations required mentioned by Bill Hal - 3 members certify they are successfully using the specification. NO requirements for interoperability. We decide what successfully using means. Carlisle – what would committee like that to mean. Interoperability or produce spec. Fred – talked about reference implementation. Hal – GA product is probably unrealistic. Would like syntactic interoperability.
Party B can consume what is produced by party A. Fred – how much of an environment required? Ken – what about saml? Hal – we would propose extensions to saml. Those would have to be
tested in saml context Ken – look for saml assertions – xpath – discussed Ernesto – reference implementation would be sample pdp or pep that can
evaluate and enforce. You are discussing interoperability Hal – suspicion reference implementation will be limited by available
labor. Suresh – someone mentioned policy might be sent with saml. Will it be
visible outside firewall? Carlisle – one use case where policy travels with health record to
another site. It general case could happen Hal – drm problem as well. Nothing in xacml to prohibit it. Carlisle – tim had in mind policy and set of inputs and different pdps
could parse and come up with same answer. Hal – more concerned with enforcement part. Doesn’t speak to generating
policy Ken – recreate policy that was consumed Hal – issues with evaluating if equivalent form. Bill – valuable to create policy that others can read properly Carlisle – definition is handed policy and relevant inputs and can come
up with decision others could also come up with. Some or all of inputs are saml
syntax and outputs are also saml assertion Bill – what about generating policy that others can digest Carlisle yes, would have to have that. Ken – write up and formal agreement. Carlisle will send out email with this and we can vote at the next
teleconference 11:00 adjourned |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC