OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Fwd: Updated Minutes of XACML F2F 30 July - 1 Aug 2002

See attached mail message.

Anne Anderson       Anne.Anderson@Sun.COM
Internet Security Research Group, Sun Labs
Sun Microsystems, Inc., Burlington, MA
--- Begin Message ---
Title:    Minutes of XACML Face-to-Face Meeting
Date:     30 July 2002 - 1 Aug 2002
Location: Hitachi/Quadrasis, Waltham, MA
Scribe:   Anne Anderson


Separate documents:
  policy schema 16e (to be mailed by Simon)
  context schema 16e (to be mailed by Simon)
  Attribute Designator Examples
  Schema Issues [resolutions]

Preliminary versions of various documents were mailed earlier,
but updated documents replace those.

Polar Humenn, Hal Lockhart, Don Flinn, Anne Anderson,
Bill Parducci, Carlisle Adams, Simon Godik, Tim Moses, Daniel Engovatov,
Konstantin [last name?] (parts of 2nd and 3rd day)


July 30:

9:00-12:00 Walkthru of latest version of document and schema to identify
items to be discussed.

12:00-1:00 Lunch

1:00-5:00 Combine items from morning and items from schema subcommittee list
and discuss and resolve each

July 31: 

9:00-9:30 Conference call (Michiharu called in)

9:30-12:00 Continue discussion of items

12:00-1:00 Lunch

1:15-1:45 Presentation of LDAP Profile and discussion

1:45-3:00 Continue quickly going through issues
    One possibility is asking someone to develop proposal during
    breakout session time.

3:00-4:30 Breakout work sessions:
          A. Work on identifiers section, review schema
          B. Discuss conformance profiles
          C. Any others

4:30-5:00 Present results from breakout sessions

5:00      E-mail minutes to the list

Aug 1:

9:00-9:30  Conference call (Michiharu called in)

9:30-10:15 Discuss security and privacy section

10:15-10:45 Presentation of Conformance Test Cases and discussion

10:45-15:30 Simon presented updated schema

15:30-16:45 Polar reviewed combining algorithms, added new one

16:45-17:00 Brief discussion of next steps

- [All, 14 Aug 2002] All input text for the "final" version of
  the specification must be submitted.  Specific action items
  called out below.
- [Simon, 1 Aug 2002] Review glossary terms: missing, update.
- [Tim, 15 Aug 2002] Finish Background section.  Add Target.
- [Simon, 14 Aug 2002] Add simple example to Example section.
- [Simon, 1 Aug 2002] update and correct the existing examples in
  Example section.
- [Tim, 15 Aug 2002] Highlight boxes in XACML Context section to show
  which pieces are specified by XACML, and which are outside XACML
- [Tim, 15 Aug 2002] Figure 1: update to show PDP has nothing to do
  directly with the PIP.  Replace "PDP" in the figure with a "context
  constructor" or something like that.  PDP interacts only with the
  "context constructor".
- [Bill, 1 Aug 2002] Check UML-ness of Figure 3 (Tim to give Bill a
  software copy), and update it.
- [Tim, 15 Aug 2002] Figure 3: add switch under "condition" so it can
  take function or attribute.
- [Tim, 15 Aug 2002] Section 4: label two "Target" sections
  appropriately (one is for Rule, other is for PolicyStatement).  Make
  it clear that, regardless of how target is generated, evaluation of
  policy is the same.
- [Simon, 15 Aug 2002] For each Policy syntax element, specify how PAP
  deals with it and how PDP deals with it.  Information needed to
  implement the semantics of the element correctly.
- [Bill, 2 Aug 2002] Generate XML Spy representation from the
  schemas.  We will make this available separately from the
  schema and specification documents.
- [Michiharu, 14 Aug 2002] Update SAML Profile XSLT, including how to
  put Obligations into a SAML 1.0 AuthorizationQueryResponse.
- [Hal, 14 Aug 2002] Add IPR section (required by OASIS).  Discuss
  IBM's claimed IP on obligations.
- [Anne, 14 Aug 2002] Update "XACML extensibility  points" to make
  sure it includes anything needed for J2SE extensions.
- [Hal, 14 Aug 2002] Write paragraph on pitfalls of negative rules for
  the "Security and privacy" section.
- [Don, 14 Aug 2002] Write up "threats" for "Security and privacy"
- [Michiharu, 14 Aug 2002] Generate XSLT to convert a Response into
  the minimal form used by Conformance Test cases (i.e. remove
  any comments, Status)
- [Anne, 14 Aug 2002] Generate list of schema elements, combining
  algorithms, identifiers, functions, arranged by Section # for
  Conformance section of document.  Each specified as mandatory or
- [Tim, 14 Aug 2002] Fold Background references into document
  references section.
- [Daniel, 14 Aug 2002] Provide editor with Appendix specifying
  semantics, operand datatypes, and result datatype for each function.
  Constraints: consistent with approved proposal for issue#59.
- [Michiharu, 14 Aug 2002] Provide usage examples for XPATH.
- [Michiharu, 14 Aug 2002] Provide usage examples that explain use of
  XPATH with namespaces.
- [Hal, 14 Aug 2002] Word document describing usage of each defined
  XACML identifier from list produced at F2F.
- [Hal, 14 Aug 2002] Clarify Security and Privacy to say that, as part
  of the validation of signatures on policies, the validation should
  ensure that the issuer listed for the policy refers to the same
  entity as signer of the policy.
- [Hal, 14 Aug 2002] Eliminate description of RuleDigest and
  RuleDesignator.  We no longer support those.
- [Hal, 14 Aug 2002] Find out proper value for XPathVersion: i.e. is
  there a URN?  Currently using
- [Anne, 21 Aug 2002] Conformance Tests:
  1) Use 3-4 digit test case numbers for alphabetical ordering
  2) Remove "conforming PAPs" section
  3) Clarify that this is tests for a PDP "successfully using" XACML
  4) Update "Conformance Requirements" section to point to the
- [Anne, mid-Sept 2002] Get comments to Tim on profile for using LDAP
  to store policies.
- [Simon, 7 Aug 2002] define container that extends SAML Assertion to
  hold Policy or PolicySet.
- [Anne, mid-Sept 2002] Update XML Digital Signature profile.
- [Anne, mid-Sept 2002] Send proposal for SAML changes based on our
  Context to XACML TC list.  After TC review and modification, we
  will send it on to SAML.  Deadline for this is SAML's deadline for
  finalizing their list for 2.0.

- Keep structure of the specification document the same:
  with sections labelled Non-normative or normative.  Don't split
  these out into separate documents.
- Generate XML Spy representation of schemas, but publish this on the
  web site as a separate document.
- Use only global element references and global type definitions in
  the schema.  Example: Use <xs:element
  ref="xacml:PolicySetStatement"/>, rather than <xs:element
  name="PolicySetStatement" type="PolicySetStatementType"/>.  Naming
  convention: if element is "X", type is "XType".  Advantages:
  o consistency for readers of the schema.
  o can omit qualified elements and attributes.
  o makes sure names of elements stay same when type is same.
- Put function names and legal type combinations (Section 6) in an
- Put identifiers (Section 8) in an appendix.
- Put combining algorithms (Section 9) in an appendix.
- Definition: XACML Profiles = a way of using XACML within a
  particular application context.
- Remove LDAP profile.  We did not agree on this profile as
  described.  Note: current LDAP profile is "how to use LDAP to
  retrieve ID references in XACML", not "how to use XACML to implement
  LDAP access control"
- Conformance Tests: define "conformance" as taking a Request
  "consistent with" the specified Request.xml document, and
  taking the specified Policy.xml document, must produce a
  Response "consistent with" the specified Response.xml document.
  "Consistent with" means must be capable of (at least
  theoretically) being converted algorithmically to the specified
  Request.xml or Response.xml document.
- "Successfully using" goal is that all mandatory-to-implement
  functionality be implemented and testable.  But, if don't have 3
  fully compliant implementations as we get close to Sept.1, we can
  redefine "successfully using" as a subset.
- Remove "Conformance Test" description of "conformant PAP": we
  can't guarantee that all outputs of a PAP are conformant with
  the schema.
- Status of commitments to implement XACML by Sept. 1: Simon
  (OverXeer).  CrossLogix can't commit to be compliant by
  Sept. 1.  Reuters is implementing, but we don't know if they
  can commit for Sept. 1.  Carlisle will contact Reuters to see
  if they will commit.  Michiharu (IBM) will do his best, but
  can't commit.
- Acknowledgements section will include only voting members as of time
  of approval as an OASIS Committee Specification.  Contributors list
  will include all voting members during the period of specification
- If we do not have 3 implementations by Sept. 1, will still vote
  to make specification a Committee Specification, but wait for
  next window to submit to OASIS.  Meanwhile implementations can
  continue to progress.  OASIS is considering revising rules so
  that submissions can be made more frequently than every three
  months.  Note: current OASIS rules on handling new issues that
  come up after submission to OASIS is awkward, and is also under
- Add section to document for "Future work items".  Not commitments,
  just "topics we are considering".
- Eliminate RuleDesignator.  External rules may no longer be included
  by reference in a policy.  If you want to use external "rules", make
  the rule the only rule in a policy and refer to the policy by
  PolicyId in a policy set.
- In PolicySetStatement, remove element "PolicySet": just use a CHOICE
  of PolicySetStatementId, PolicyStatementId, PolicySetStatement,
  PolicyStatement, 0..inf.
- Change PolicySetStatement to "PolicySet"
- In PolicyStatement, remove element "RuleSet": just use a CHOICE of
  Rule, 0..inf.
- Change PolicyStatement to "Policy".
- Make PolicySet collection of policies a sequence 0..inf of choice
  between Policy and PolicySet.
- Change name <Function> to <Apply>.
- Support for sub-elements and sub-decisions in hierarchical resources
  is not mandatory.  Support for Scope attribute is not mandatory.
- We are providing a normative way for specifying multiple results in a
  Response, each applying to a specific resource.  We are not
  providing a normative way to generate multiple results.
  Michiharu has a proposal for a way of generating multiple
  results for XML resources, but we have not approved the
  proposal as normative.
- Decide on Thursday, 8 Aug, 2002 whether to go to
  every-other-week TC meetings.
- Committee meeting will occur on Monday, 5 Aug 2002.  Anne, Tim,
  and Carlisle will not be able to attend.  At least Hal and
  Simon will attend.
- From now on, schema will change only if it is broken.  There will be
  no new functionality, no name changes.  Any changes require a TC
  vote to be accepted.
- Polar will e-mail final text for Combining Algorithms by 7 Aug 2002.
- At TC meeting on 8 Aug 2002, start going through TC Issues document
  to close or defer all open issues.
- The DSML Profile is normative, but not mandatory to implement.  If
  you retrieve attributes from a repository, you MUST use DSML
  attribute identifiers.
- Profile for using SAML and XML Signature as envelope for Policy and
  PolicySet will describe how to use XML DSig to sign referenced
  policies as well as the referencing document.  SAML's use of
  XML Signature currently would not allow referenced policies to be
  signed along with the referencing document.
- All profiles can be done independently of the XACML
  specification, and need not depend on the schedule for the XACML
  specification.  TC members are invited to propose profiles to the TC
  via the mailing list.  Examples: LDAP Profile, SAML Profile,
  X509 Envelope for Policy and PolicySet, 

[slides presented by Tim]

- Should we assume PDP has at least a "template" PolicySetStatement
  that specifies its PolicyCombiningAlgorithm?  Then the PDP (or PRP)
  queries policy repository with Request Target information and
  constructs the PolicySet.  Same could apply for constructing a
  Policy from Rules in a repository.
- Basic issue for either is how to translate Request context
  information into an LDAP query that corresponds to Target
- PAP has to process each PolicyStatement to create index to PolicyIds
  from Subject/Attribute, ResourceAttribute, and Action elements in
  PolicyStatement Target.  Attributes are indexed based on being in
  the Target, not based on potential inclusion in a Context.
- AttributeValue must be string?  No.

--- End Message ---

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC