OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] policy subcommittee minutes from Jan. 3

Minutes of OASIS XACML Policy Model Sub-committee Conference Call
03 Jan 2002

Present: Anne Anderson (scribe), Sekhar Vajjhala, Don Flynn,
Carlisle Adams, Tim Moses, Ernesto Damiani, Michiharu Kudo

A. XACML Extension Model

Michiharu presented his proposal for an XACML Extension Model,
(http://lists.oasis-open.org/archives/xacml/200112/msg00000.html).
This proposal provides mechanisms for allowing support for
negative permissions and for codesource-based permissions.

The semantics of the extensions are expressed in a <policy
policyURI= /> element that follows the <applicablePolicy>
element.  The semantics might be explained in a standards
document at that URI, for example.

Anne asked about how a PDP can tell if various fragments in a
distributed policy have semantics (such as negative permissions)
that affect whether all fragments must be retrieved in order to
evaluate the policy.  Tim suggested various policy fragments
might have different <policy policyURI= /> elements, but in that
case merging them (done by the PRP) might be difficult or even
impossible.  Tim proposed placing the policyURI element in the
applicability section, so that there would be only one policyURI
covering all fragments.  There was no objection.

Anne questioned the point of specifying a "standard" for
extensibility that effectively requires non-standard PDPs in
order to handle a significant fraction of the proposed
requirements.  She proposed instead developing powerful
primitives that can be composed to create special complex
attributes or operations useful for a particular application or
market sector.  The definition of such attributes and operations
could be downloaded and interpreted by a standard PDP that needs
to handle policies for that application or market sector.

Tim reminded us that there is an extensibility point in the
current syntax proposal - at the predicate level.  He suggested
that extensibility at both the predicate level and at the policy
level are needed, and both should be part of the core.  Michiharu
then described his proposal as "radical extensibility", that goes
beyond the core for applications that need it.  Sekhar thinks
Tim's extensibility point does not allow codesource-based
attribute support (required by J2SE), but he wants to study it
further and will write something up by the middle of next week.

There was general agreement that the core (and standard
core-compliant PDPs) should be able to handle at least 80% of the
requirements.  [Should we add: "and at least 80% of the
anticipated usage."?].  Ernesto proposed that 80% of requirements
should be supported without requiring their own namespace, but
the remaining 20% could be covered with some sort of
extensibility mechanism such as Michiharu's.


B. Updated Schema Proposal

Tim explained his updated schema proposal
(http://lists.oasis-open.org/archives/xacml/200201/msg00000.html).
He plans to add annotations on the next pass, since the schema is
not self-explanatory.  He went over several interesting elements,
including the "resourceToClassificationTransform" (how to decide
whether the resource you are interested in is in the
resourceClassification), the reasons for having
"RuleAbstractType" (for better object-oriented design; AND, OR,
NOT and RuleType are just restrictions on this abstract type,
primarily differing in the minOccurs), and the
"PredicateAbstractType" extensibility point.

Tim is working on an example that illustrates as many elements
from the language as possible using the medical record case.

Ernesto put the schema through some tools to check for
correctness, etc..  Sekhar pointed out that the schema in the
proposal has line numbers, and thus can't be passed through tools
directly.  Tim agreed to issue the schema both as part of an
updated proposal and also separately without line numbers.


C. Open Issues

Ernesto suggested that we accumulate issues for now, discuss them
so that they are understood, and plan on making decisions at the
face-to-face meeting January 23-24.

For our next meeting, we will try to collect a list of issues
that must be resolved in order to agree on a proposal.  The
current list of issues includes:

1. Do we add "syntactic sugar" to the more abstract "valueRef"
   element so that separate policies for Principal and Resource
   can be specified?

2. How do we handle hierarchies of resources (for example,
   wanting a policy to apply to an entire file directory tree).
   Tim's "resourceToClassificationTransform" is one way to do
   this.

3. How do we handle non-SAML inputs?


D. Next Meeting

The next meeting will be Monday, 7 January, at the usual time.


E. Action Items

Anne: write up minutes [done]
Sekhar: write up any issues with revised syntax in handling J2SE
   case.
Tim: finish examples and annotations on syntax.
All: propose additions to the list of open issues in Section C of
   these minutes.

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC