[xacml] 012302 XACML F2F Raw Minutes

XACML F2F Meeting

January 23-24, 2002

Barnabey's Hotel, near LAX

Wednesday:

9:00 - 9:15: Roll call; agenda review; approval of minutes for Jan. 10 con-call

9:15 - 9:30: Discussion of XACML schedule (milestones, deadlines)

9:30 - 10:00: presentation from Sekhar on the J2SE authorization model, in relation to SAML & XACML

10:00 - 10:30: presentation from Simon G. on an alternative policy model and syntax for comparison purposes

10:30 - 10:45: BREAK

10:45 - 11:15: presentation from Hal on difficulties with the current model and syntax proposal

11:15 - 12:00: discussion / status update with respect to IP, sec. & privacy considerations, conformance

12:00 - 1:00 LUNCH

1:00 - 3:00: discussion and resolution of open issues, beginning with Tim's "We resolve" proposals

3:00 - 3:15: BREAK

3:15 - 5:00: continued discussion and resolution of open issues

5:00: adjourn

Thursday:

9:00 - 12:00: continued discussion and resolution of open issues (BREAK around 10:30)

12:00 - 1:00: LUNCH

1:00 - 4:30: continued discussion and resolution of open issues (BREAK around 3:00)

4:30 - 5:00: revisit XACML schedule; discuss next F2F; wrap up

5:00: adjourn

9:15 Roll Call

10 members, 2 prospective

Simon Godik, Crosslogix

Ken Yagen, Crosslogix

Hal Lockhart, Entegrity

Carlisle Adams, Entrust

Tim Moses, Entrust

Don Flinn, Hitachi

Michiharu Kudoh, IBM

Bill Parducci, Self

Ernesto Damiani, University of Milan

Thomas Hardjono, Verisign

Sekhar Vajjhala, Sun Microsystems

Anne Anderson, Sun Microsystems

Polar Humenn, Self

Guillermo Lao, ContentGuard

9:25 Discussion of Agenda

9:28 Motion to approve minutes from the 1/10 meeting passed

9:30 Discussion of schedule

12/14 Draft Policy model complete

2/1 Full draft of submission complete

3/1 Final XACML submission to OASIS

Next OASIS submission date is 6/1/02

Hal - still expanding, not yet closing

General feeling is sooner is better, but not at expense of getting it right

SAML deferred some issues to future version, but no schedule for that. XACML could take same approach

Tim - finer schedule for actual closing - public/private last calls, duration, etc.

Carlisle - last call process 2-3 weeks, so slipping 3 months doesn't give much flexability

Ernesto - from experience of Monday calls, need finer granularity over control; very open-ended and not deadline focused

Simon - set agendas for all meetings

9:47 Sekhar's Presentation - Use of SAML/XACML in J2SE

[PDF of presentation will be posted to website]

XACML as replacement for default policy syntax (configuration of security policy)

Integrated 3^rd party provider into J2SE platform (JSR 115 intended for this?)

[Sidetrack on JSR 115]

JSR 115 defines the contracts between the policy provider and the container (J2EE concept)

3^rd party add PDP where container acts as PEP

Policy decision, configuration, and provider contracts (3 interfaces)

Retains existing security model, but standardize SPI between container and provider

J2SE Permission controls access to a resource (resource is what you define, actually a record of what is allowed)

Simon - Permission encapsulates resource and action in XACML

Simon asked for clarification of executing principal - principal is under J2SE umbrella (as of 1.4 specified more exactly)

SAML principal corresponds to JAAS subject

ISSUE: Protection Domain - like a security domain. Can the information in the Protection Domain be sent in a SAML authorization query to a PDP for policy evaluation?

implies() method is a subset test rather than an equality test; could apply to resource or action

(Confusion over what a permission exactly is...)

Issue - Action as a string

Hal - Permission has class, name (resource), and action (action)

Polar - Is permission a namespace for the action? (Hal - resource as well)

Anne - namespace with semantics

Tim - SAML action schema has namespace?

Sekhar - SAML says action is a string

Simon - Action is wrapped by element Actions which has an attribute called Actions Namespace and you could potentially use it.

Ernesto - what is the impact; see as more as a SAML issue

Anne - impact is what is XACML going to require of SAML in order to express policies

Polar - why is not a namespace issue

Simon - overloading namespace and the meaning of namespace is not clear - you must mark it up to explain what it means in some internal syntax

Hal - represent it as part of the resource, not the action.

Polar - need just another attribute for target. Makes it an XACML problem, not a SAML problem

Anne - in SAML, resource is defined as any URI so it is still a SAML problem

JRE (PEP) -> Policy Class -> Front End (PDP) -> Saml Authz Query -> PDP

Does front end make any decisions - it could depending on environment

Issue - do have to extend architectural model to include this scenario?

Carlisle - assign somebody to keep track of things we'll want to go to SAML with in the future.

Anne - collect issues for SAML, also be recorded in own group in issues list

Hal - What extent do we want to support various existing authorization models?

11:13 Simon's XACML schema proposal

[To be posted to website]

Similar to Michiharu's idea, but extends differently

Want to preserve certain well understood, basic semantics

At certain points, can extend it without breaking it

Resource should be abstract type from which concrete resource types are derived

Carlisle - if writing an access control policy, does language need to say what you can do?

Gives opportunity to lay out semantics of what you can do with a resource (semantic glue) - reference to group of possible actions

Polar - Like an object interface in CORBA world which XML allows you to do

Resource - can include more than one XML content element and actions

Polar (Clarification) - This is the resource, you are only allowed to access these elements with these actions.

By specifying correct actions, determine whether policy is possible when writing policy, not evaluation

Hal - When talking about resource content, two ways: 1) fine granularity of protections 2) as a condition of access

Tim (clarification) - Your core proposal is resource should be domain-specific extensible

Ernesto - would have to define resource types and XACML target namespace is not the right place to have the definition of all the different types of resources. Maybe we could hook to an existing namespace for resource types. Maybe just some auxiliary ones that could map into a standard one.

Simon - reference syntax is not thought out and needs work

Expression tied to resource is resource expression.

Expression tied to subject is subject expression.

If have to compare across subject, resource, environment, then have to have a context.

If don't see entity in expression, then default is a resource expression

Simon - this form because of semantics, useful for writing, policy analysis, etc; other form (Tim) more focused for machine evaluation (PDP)

Sekhar - when trying to write J2SE policy, have to be written in more user friendly way. Is that under scope of XACML?

Polar - Doesn't the target specification provide semantics?

Simon - A lot of semantic overloading in target specs and is more difficult to work with

Anne - want more general form - XACML and various vendors will write front ends where expressed in terms of application.

Hierarchies:

Ernesto - do we want to define in standard a technique for defining hierarchy

Discussion about whether subject and resource need to be explicitly defined or is subject part of precondition (ie user is in role x)

ISSUE: Does it matter if attribute comes from a flat set or a hierarchy? Does PDP need visibility of shape of hierarchy?

Bill - fundamental charter that have some level of interoperability

Hal - should language contain information on process to obtain this information?

Polar - trying to classify principals

Do we need a general purpose language or more specific domain language?

2:15 Hal's Thoughts

[Slides to website]

Glossary, Policy Information, Decision Strategies

Hal outlined a list of issues with the glossary that need clarification or rewording

Where can policy inputs come from? authentication, session, access request, principal attributes, resource metadata, resource content

Resource metadata belongs with resource - debate between Hal/Simon over whether true

Example - Attribute authority that contains classification of various documents. PEP knows user is accessing file, but doesn't know classification

Resource authority is potentially needed based on this use case

Real key issue: Authentication and session properties can apply to any of the principal sin the request.

Decision Strategies - different based on environment and require different features or may want to optimize

Propose identify all possible decision strategies (believe finite number < 10)

Proposed three strategies and for example III does not support global denies

Simon - PDP can say whether or not it can evaluate the policy based on an "uber-policy"

Anne - proposal allows for all these decision strategies but is built into the language

Simon - 2 issues - how to combine different policies and how you run evaluation

PDP just requires single authority to trust and a single set of policy? And doesn't need to worry about 5 people writing 5 policies that it needs to resolve together on the same resource.

Anne - could have a few specific solutions to handle special cases (ordered or, in of, etc)

3:12 Anne describes her proposed solution

Global deny - some component however deeply nested, if Anne Andersen, don't give her access

Would have to put it in every rule unless had meaning of global deny

Using 0.8 syntax can achieve the same result

Expresses global deny and where do I get my policies and how does the PDP know it obtains all the policies and how does it combine them with no new syntax

Possible outcomes are grant, deny, indeterminate plus error conditions

Ernesto - Can use the syntax in multiple ways. Anne's metapolicy is not the only way to do this.

Anne's example uses <and><not> in base policy to implement same concept

Must be configured as a base policy so it is a different kind of policy

This is the PRP's policy

Must assume external functions are about the same thing, not apples and oranges

Polar - if you have the policy in one document can run analysis and get assurance. But if at the end of network, have security considerations, analysis difficulties

Simon - policies may already be prefetched, so don't run this risk

Ernesto's example - want to express policy where can specifiy permission to read PDF files (research of dept) but both dept and university level policies.

Ernesto/Simon - happy this works and maybe not consider global deny in first release of XACML

Hal - willing accept this looks promising but would like to work through some target examples

Targets in both central policy and local one; worse that can happen is include federated policy and it doesn't apply

Anne - having target in sub-policy - a quick/shorthand way to check but introducing possibility for error.

Simon - meta/top policy would not have a target

Polar - would have to evaluate target expressions of all sub-policies and develop a derived target.

Federation refers to administration not PDPs

Tim - We posit that it is accepted

Xin - Include external function implies we will have multiple PDP's

Anne - agree need something like include policy not external function but don't want to simply pull it in because in real world may have multiple authorities and if OR'd together, don't want to go get all of them.

Polar - How does it affect syntax if go retrieve all and include them. Would that be a valid XML document?

Tim - Yes it would be valid document.

Simon - Remove NOT and targets from Anne's proposal

Tim - legal to right uber policy with null target

Simon - breaks encapsulation and may not be able to specify target with any meaning in the base policy.

Hal would like to get away of coupling of name of policy with resource. Trust model is needed so you can't just trust anyone to write policy on a specific resource.

Polar - can a PDP have multiple base policies that apply to a request? Is PDP defined by this?

Anne - Base policy - only one base policy. Can't have overlapping target mappings

Base policy, sub policy(ies) - sum of all is aggregate policy

If you have several base policies and they all have targets, they cannot be overlapping

Anne - If targets overlap, you apply "OR" but base policy gives you more complex logic.

Polar - non overlapping targets is administratively hard

Target is optional so most people may be satisfied

Don/Simon - Doesn't PDP have a specific domain it operates over

Hal - Conflict resolution policy - a PDP must decide and publish it but XACML does not need to specify it

Polar - cannot enforce non-overlapping, but can recommend it and explain case when they overlap.

Hal - need to describe the alternative strategies

Ernesto - recommended solution to simplify target in base policy so issue not so hard

Resolution 1: Issues for tomorrow PM-4-01 Triplet Syntax

Resolution 2: Tentatively resolution is one or more base policies that either have no target or have non-overlapping targets and they can reference external applicable policies (1. given request, all policies that apply; 2. the base and some subset of the sub policies; 3. the aggregate policy that applies to a particular request)

Resolution 4: issue PM-2-06 Policy Security

DAY 2

[Anne proposal presentation - Tim to incorporate into spec and Ken into issue list]

Definition of terms (predicate, relation?, combinatory, policy, base policy, subPolicy, aggregate policy

Polar concerned with empty combinators generated by code (ie <OR><AND></AND></OR>)

Should adhere to published papers on logic

Ernesto - specify how the resource can be defined in the base policy so it is easy to determine if have overlapping targets and then if targets overlap, you are out of spec

Simon - reiterate breaks encapsulation and should remove target from base policy

Anne put three alternatives in proposal

Can a PEP specify a policy for a PDP to use? Use case for policy embedded in XML document and to be passed to PDP for evaluation.

90% of time there will be one self-contained policy with no external references

subpolicy is a reference to an applicable policy. Carlisle suggests Policy Reference as a better name

Discussion of issue PM-4-01

Figure 2 in 0.8 Spec (page 17)

Tim suggests Simon's recommendations impact two areas: resources have different characteristics in different environments. Make an extensibility point for others to add schema specific to certain domains. Top left focused on location and retrieval of policy so not relevant for extensibility. Bottom part of model deals with attributes and there should be stronger delineation by making them elements and not xml attributes of elements. Would have strong typing amoung different types of attributes by their unique identifiers.

Current model is attribute based and simon would like to introduce a triplet

Top left is locater of applicable policy so do not need extensibility to locate policy

Anne - don't like tying XACML policy to one view when there are differing views in real world

Simon's example

<pre-cond>expressions...

Hal - if have to support this structure (subject index) of policy, you must implement it and it is a lot more work; combined with Anne's proposal (one large predicate) it gets very complex to do

Simon - advertise what you support in your URI

Polar - if the predicate doesn't have a predefined structure, then you can't index

Hal - if ignore subject in policy retrieval step (rough cut based on resource) but still have to account for it in evaluation

Add subject to target (the target of the policy which was the resource and the action) is conceptual concept group is reaching agreement on (straw poll was taken)

This is somewhat equivalent to triplet format (third leg of triplet is precondition)

Policy Target is now the resource, action and subject

Polar - need some way to state whether the policy applies

Resource is applicable, subject is applicable, now you have to evaluate the preconditions

Simon's Rule (+ extension point):

<grant>+

<rule - name>+

<resource>+

<subject>+

<pre-cond>+

<post-cond>+

</rule>

</grant>

Polar - this is equivalent to:

resource

subject

</target>

<pre-cond/>

<post-cond/>

</applicable policy>

Tim will incorporate into the spec 0.9 this agreement

Resolution 11 irrelevant by base policy

Addressed Resolution 1,2,3,6,8,11,12

Candidates for talking next:

PM-5-03: Hierarchal roles/groups

Resolution 4: Encapsulation of XACML policy

Post Conditions (PM-1-03:name and PM-1-02:semantics)

Post Conditions

Simon: Define 2 types internal - in PDP, external - acted on in PEP

Internal PDP - Result of rule of final decision giving you grant. If PDP is not able to fulfill this internal post condition, it doesn't change the decision.

Carlisle - whether it only applies to a permit or deny decision as well is still open. There was consensus on whether it can affect the decision.

Polar - PDP shouldn't be responsible for executing any post-conditions. Just a decision maker - all post conditions are external. Another entity in the model that carries out the obligations

Simon/Polar - could say that post condition must terminate

Anne - prefer no post conditions or just external post conditions. Post conditions are just strings

Simon - Specify only on result, not on rule

Carlisle - if in sub policy, no guarantee they will come into decision, so only in base policy?

Ernesto/Carlisle - if put in sub policy, the base policy may combine differently and the sub policy is not used.

Use case - allow this document to be read, but sign it, encrypt it, etc.

Can register child on website, but data must be deleted after 90 days

Tim - suggest possibly could be delayed to next version?

Ernesto - research paper from Shaneil?

Xin - DRM it is an issue but much more complex concurrency issues

Bill - Reuters had cascading use requirements (writer - publisher - distributer - consumer)

Simon - contract enforcement. As postcondition, give URI to contract agreement

Hal - instead return a deny or indeterminate but with hint at what to do to reach a grant.

Anne - proposal for postconditions needs to be made in light of the new schema (0.9)

Hal - either don't do it or propose a simple case with Simon's URI idea and possible simple case solution.

Michiharu - IBM would like to use XACML with postconditions for privacy

Michaharu and Hal - will create a proposal for including postconditions that addresses IBM's requirements

SAML - could define an XACML extension to SAML schema and submit it to them as a proposal and we can use it in the meantime?

Hierarchy of group/role

Simon - OASIS(saml,xacml) example

Ernesto - hierarchy schema document would be separate namespace from policy document and could be referenced

Carlisle/Don - belongs in SAML because is an attribute and attribute authority should control this

Hal - definitely attribute authority and could have policy language for attribute authority

Ernesto - there are some cases when exchange a policy would not be sufficient. If in another setting the local definition of hierarchy of roles is different, then it would impact the evaluation.

Hal - true for all policy inputs.

Policy language might be required to allow to differentiate direct, indirect, number of indirections in defining the rule.

Tim - language allows to say if a member or not a member of a role

Polar - why would you want to write a rule on the hierarchy of the role?

Carlisle - Rule: if member of Oasis, but input is member of XACML. But that should come from an authority

Schedule

1/24/02 Today

2/1 0.9 Spec

2/7 TC Con Call

specific milestones for major issues

2/11 decision on post conditions

2/21 TC Con Call

2/25 decision on extensibility (extensibility sub-sub committee)

3/7 TC Con Call

2/21 TC Con Call

2 months of concepts

1 possibly 2 face to face meetings

2^nd/3^rd week of March possible F2F in Burlington (Sun)

Security Considerations, Conformance, IP

month of April concentrate on the XML

schedule of SAML requirements? (need to propose something specific)

4/1/02 concepts complete

4/1/02 liason statement to SAML

4/4 TC Con Call

4/18 TC Con Call

5/1/02 Ready for review outside committee

6/1/02 Submission to OASIS

7/1/02 OASIS reviews spec

xacml message