[xacml] XACML April 18, 2002 Minutes

[Ken Yagen <kyagen@crosslogix.com>]

Title: XACML Conference Call Minutes

XACML Conference Call

Date:  Thursday, April 18, 2002

Time: 10:00 AM EDT

Tel: 512-225-3050 Access Code: 65998

 

Minutes of Meeting

 

Summary

After some delay due to problems at the conference calling facility, we got started with those that were able to get through to the 800 number that was posted (those not getting through, this will not reflect against your attendance). Topics discussed included domain specific attributes, schema committee issues, use of OCL, and F2F final logistics.

 

Anne mentioned she was considering several ideas for the J2SE examples and the one she favored is defining distinguished attribute names in a J2SE namespace that can be handled appropriately by the PDP when evaluating. This led to a larger discussion on domain specific attributes and whether we should define profiles for specific domains and/or a set of global attributes that can be used by any domain. Hal will take over this section of the spec and try to address these issues.

 

Simon reviewed the schema subcommittee progress and iterated the list of five issues that have been raised. These will be included in the XACML issues list and discussed at the Face to Face next week.

 

OCL has been a recent topic on the list. The committee discussed the pros and cons of using it or pseudo code to describe combiner algorithms like "deny overrides."  Konstantin had recommended it if we were attempting to define a method of ensuring compliance to the spec, because it is a formal language. The consensus was that it was too unfamiliar for many, but more importantly, XACML requires an explanation of the combiner algorithms, not a specification. So, a less formal English explanation and vendor-neutral pseudo code should be sufficient. No formal vote was taken on the issue, but Tim will incorporate this in the next specification revision.

 

Action Items

1. Carlisle will take roll at F2F and send to Ken
2. Move action item for XACML primer by Hal/Konstantin to calendar with date of 1 month from today (5/16?)
3. Carlisle to ask Michiharu to post description of IBM patent to email list
4. Hal to take over section 6 of spec and produce something in next 2 weeks
5. Michiharu and Anne to develop description of example applications, specifically for XML documents and J2SE [ed: Is this action item still open or resolved?]
6. James to send writeup to Polar or list on Security and Privacy for discussion at F2F.
7. Members who believe an issue is ready for closure should post resolution to the list for discussion and voting.
8. Ken to incorporate voting results and Simon's issue list in Issue List and publish by end of day 4/18/02
9. Tim to rework combiner algorithm section in spec to reflect discussion and consensus that we use English explanation and pseudocode to explain (not specify) deny overrides.
10. Tim to add change tracking in future versions of spec.
11. Carlisle will look into dial in capability, internet access at university, contact numbers for face to face.

 

Votes

Voted to approve minutes of 4/4/02 meeting

 

Proposed Agenda:

10:00-10:10 Roll Call and Agenda Review

10:10-10:15 Vote to accept minutes of April 4 meeting

http://lists.oasis-open.org/archives/xacml/200204/msg00019.html

10:15-10:25 Review of Action Items (see 4/4 minutes)

(including report of progress on Conformance, Security&Privacy topics)

10:25-10:35 Report of Schema Sub-Committee

10:35-10:45 Discussion of Overall Status

(in particular, are any items ready for closure on current issues list)

http://lists.oasis-open.org/archives/xacml/200204/msg00014.html

10:45-10:50 Discussion of OCL as the syntax for a combining algorithm

10:50-11:00 Discussion of agenda for upcoming face-to-face meeting

 

Roll Call (because of difficulties in calling in, will not count against attendance)

James MacLean, Affinitex

Simon Godik, Self

Ken Yagen, Crosslogix

Hal Lockhart, Entegrity

Carlisle Adams, Entrust

Tim Moses, Entrust

Don Flinn, Hitachi

Konstantin Beznosov, Hitachi

Polar Humenn, Self

Suresh Damodaran, Sterling Commerce

Sekhar Vajjhala, Sun Microsystems

Anne Anderson, Sun Microsystems

 

Raw Minutes (taken by Ken Yagen)

10:26 Voted to approve the minutes from 4/4

 

Agenda Review

Ken - Need to send roll call to someone. Carlisle will be responsible for taking roll.

 

10:28

Review of Action Items for 4/4/02

1. Simon to be reminded one more time to send his F2F#3 presentation to Michiharu for posting to the website.

Could not find it

2. [Hal, Konstantin] to produce an XACML "primer" that provides more verbal text describing function and use of the various element types at the appropriate time (ed note: Suggest a date be decided on and this be added to the calendar and removed from the action  item list.)

Should be moved to calendar for 1 month from today

3. Ernesto to appoint someone to update the TC on subcommittee progress if he will not be on a TC call (ed note: Suggest this apply to all subcommittees)

Simon took action item to record issues from last TC (see below for review)

4. Michiharu will brief the TC further on the extent of IBM's patents and provide an official translation (or at least and English description) of the Japanese patent that has already been published.

Carlisle will ask him to post something to the list

5. Michiharu and Anne to develop description of example applications, specifically for XML documents and J2SE

Anne - Express Java policy semantics using SAML request but will still require some proprietary stuff. Then defined an extension schema. Final approach is just to define some distinguished attribute names in a J2SE namespace and PDP should recognize them as special attributes and normal equals should handle them appropriately.

Don - talked about defining std attributes to cover 80% of usage. Are we still planning to do that?

Anne - Basic syntax should be able to handle 80% but don't remember special attributes mentioned.

Don - I made the statement. It's up for discussion.

Carlisle - One attribute defined in X.509 - role.

Hal - This may be consistent with the idea of profiling. If you want to do LDAP ACI's, these are the attributes involved.

Tim - Sec6 of v12 this may have been started. I was anticipating these would be identified and listed in sec6. Perhaps Hal could take over and advance sec6. Currently have placeholders for time of day, etc.

Hal - Yes identifying types of subjects is something we should do, but more wary of defining attributes. Many different opinions on semantics around this. Referred to NIST paper on RBAC and all different ideas of what a role is.

Carlisle/Hal - maybe profiling for different environments (Windows, LDAP, J2SE)

Simon - Agree profiling is a good solution, but compliance issue should be addressed

Tim - Small number of attributes may want to define identifiers for, such as time of authentication. They would be applicable across all profiles that define that attribute.

Don - Suggestion made before that various groups can define attributes within their domain (ie hospital domain, plumbers domain). Big problem is interoperability., especially when talk about federation.

Hal - Banks and Hospitals don't need to know about each other

Don - Should encourage in a non-normative way

Tim - DSML uses URN approach to naming tree. SAML uses URIs. This is something to address.

Hal - SAML is going to URN scheme for authentication type identifiers.

Tim - summary, Hal will take on and advance section 6. Should think about a time frame.

Hal - attempt to produce something preliminary in a week or so.

6. Ken and Polar to begin work on conformance

Ken - posted to the list based on SAML conformance spec.

Polar will be at F2F so can review it and can lead discussion for F2F

7. James and Polar to begin work on Security and Privacy.

James - Reviewed SAML document and putting together some notes to review with Polar. Polar can lead discussion at F2F.

8. Carlisle to begin email voting process for closing issues.

Closed all except OCL issue

[10:54]

 

Issues List

Anne - propose when someone thinks something is ready for closure, post resolution to mailing list and propose it be closed.

 

10:33 review of Schema SC meeting

Ernesto published agenda for number of calls and went through first item in agenda and out of that came action item list (that were posted to the list on 4/16)

1. Good graphical tool to work with Schema - suggested XML Spy
2. Make sure rule element and policy element have identity elements on them
3. Define list of built in predicate functions that are generally useful (date, time, currency,...)
4. How do we determine the context in which attributes are taken (owner of the attributes)
5. Extensibility mechanisms

What is the mechanism for resolution? All are open for discussion on list and could be discussed at F2F.

 

10:55 Discussion of OCL Issue

Konstantin - OCL is vendor neutral and a formal language. Formal language will help with compliance.

Carlisle - Is it well used and well understood.

Konstantin - Ponder project used it in their policies as well and they are also access control policies. It is relatively new (1997) as part of UML, so many may not be using it yet.

Carlisle - Anne suggested pseudocode and explanatory text as a means to convey the semantic. Compliance will come from specific test cases.

Konstantin - Test cases would not give you assurance 2 PDP's are compliant

Tim - argument you made applies to the entirety of the specification.

Konstantin - Two PDPs compliant may not be compatible in producing the same answer. How do we define the semantics of predicates?

Simon - English description is a declarative statement. Do you think it is not good enough?

Konstantin - Won't be able to test systems for compliance even if achieve clarity.

Anne - Given OCL is not in wide use already, should not be introduced in a standard.

Hal - agree with Anne, giving someone additional task of something else to learn.

Why not let OCL be the non-normative part of the spec for now.

Hal - issue with two representations, keeping in sync and what if they disagree. General approach in other specs is English narrative.

Don - CORBA used English text and have difficulty in interoperability.

Carlisle - Just defining deny overrides, not the whole specification.

Konstantin - Not a way to specify, just explain ideas, then is just a hint to implement and it doesn't matter.

Simon - Believe XACML is purely declarative, but doesn't mean implementer is required to follow this algorithm. Whatever means to choose to implement this outcome is up to you. But, then is it normative?

Hal - what is normative that you get the same outcome in all cases.

Carlisle - What is the conclusion? If we make it clear we are explaining, not specifying?

Simon - Issue with OCL clarity. Konstantin put together proposal.

Konstantin - proposal to use plain English and psuedocode for explaining what mean.

Carlisle - That's reverse order of Anne's proposal

Konstantin - Also indicate that we are not specifying, only explaining

Tim - I can make an attempt to rework that section.

Tim - Need to know expectations from people of the next version.

 

11:11 F2F

Carlisle - should we try to get a v13 of the spec, or work off of 12. My preference is 12.

[Silent agreement]

Konstantin - Any way to see changes between versions? Suggest change tracking be available.

Carlisle - Agenda topics. Some portion of Monday as Schema subcommittee meeting. Ernesto had scheduled policy and rules. Also like to include discussion of some of other items: Security and Privacy and Conformance. Any other topics like J2SE examples, etc.

Don - Attribute issue would be interesting

Carlisle - okay, attributes and domain specific profiles

Ken - list of Simon's issues

Ken - will try to update issues list and get it out today with results of voting and Simon's list of issues.

 

Dial in number for F2F, Internet Access from university - Carlisle will check on this.