[xacml] XACML August 15, 2002 Minutes

[Ken Yagen <kyagen@crosslogix.com>]

Title: XACML Conference Call Minutes

XACML Conference Call

Date:  Thursday, August 15, 2002

Time: 10:00 AM EDT

Tel: 512-225-3050 Access Code: 65998

 

Summary

TC Call focused on reviewing submissions required for version 16 of specification. Please read the minutes and make sure you send your items to Tim before tomorrow, 8/17. Deliverables are broken out by person. All submissions to Tim for 16 should have reference to v16 in the title of the email. Also discussed the semantics of SubjectAttributeDesignator and voted to accept the proposal Simon-1. Reviewed the schema change requests from Simon and Anne and voted to accept all of them.

 

The next TC Call will be on 8/22. Also, during the scheduled Schema subcommittee call next Monday, 8/19, we will review the issues list since we did not get to it today.

 

Action Items

1. Submit items to Tim for v16 as specified in these minutes
2. Don to post threats for security and privacy text by Tuesday 8/20
3. Anne and TC will look at XACML extensibility points sections again and decide if needs to be revised
4. Bill update UML diagrams by Friday 8/17
5. Michiharu to provide XPATH usage examples
6. Michiharu to convert XSLT to minimal for used for conformance cases
7. Simon will publish 16g schema with changes voted on during call
8. Tim will publish v16 spec Friday 8/16
9.  [Anne, 21 Aug 2002] Conformance Tests:
1. Use 3-4 digit test case numbers for alphabetical ordering
2. Remove "conforming PAPs" section
3. Clarify that this is tests for a PDP "successfully using" XACML
4. Update "Conformance Requirements" section to point to the specification.
10. [Anne, mid-Sept 2002] Get comments to Tim on profile for using LDAP to store policies.
11. [Anne, mid-Sept 2002] Update XML Digital Signature profile.
12. [Anne, mid-Sept 2002] Send proposal for SAML changes based on our Context to XACML TC list.  After TC review and modification, we will send it on to SAML.  Deadline for this is SAML's deadline for finalizing their list for 2.0.

 

Votes

Vote to accept minutes of F2F 7/30-8/1 passed

Vote to accept minutes of August 8 TC Call passed

Vote on subject attribute designator semantics to accept proposal Simon-1 passed

Votes to accept schema additions/revisions from Simon/Anne passed

 

Proposed Agenda:

10:00-10:05 Roll Call and Agenda Review

10:05-10:10 Vote to accept minutes of August 8 concall

http://lists.oasis-open.org/archives/xacml/200208/msg00013.html

10:10-10:15 Review of Action Items (see 8/8 minutes)

10:15-10:25 Vote on SubjectAttributeDesignator semantics (Simon)

10:25 - 10:59 Review of Issues list (Ken)

10:59 - 11:00 Next meeting? (Aug. 22 or 29?)

 

Roll Call

Ken Yagen, Crosslogix

Daniel Engovatov, Crosslogix

Hal Lockhart, Entegrity

Carlisle Adams, Entrust

Tim Moses, Entrust

Don Flinn, Hitachi

Konstantin Beznosov, Hitachi

Michiharu Kudoh, IBM

Simon Godik, Self

Bill Parducci, Self

Anne Anderson, Sun Microsystems

Gerald Brose, Xtradyne

 

Prospective Members

Steve Andersen, OpenNetwork

 

Steve Anderson receives voting member status following this TC Call.

 

Raw Minutes (taken by Ken Yagen)

10:06 Additional Agenda Items

Tim - Would like to discuss an inventory of submissions for version 16

Simon - would like to propose and vote on schema changes

 

Vote to approve minutes of August 8 TC Call passed

 

10:09 Action Items

Vote to approve minutes of 7/30 - 8/1 F2F passed

Anne has submitted a simple example in English to list

Simon has updated current example to comply with schema

Simon's proposed schema fix for AttributeIssuer - would like to understand procedure. Have a short list of proposed amendments and would like to discuss

Ken has posted Issues List 9

No issue list resolutions received

 

10:13 Inventory of submissions for version 16

Include version 16 in title of any emails to Tim

Hal

Identifier section will be sent by noon.

Michiharu would like a couple resource identifiers included and will send them to Hal

Hal - note about getting list or set datatype information from Daniel or Polar.

Do not need an identifier for list or set

Security Considerations will be available by close of business.

Complete IP section by end of day

Proper value for XPathVersion (URN) - current one is fine

Don

Threats for security and privacy will be available by Tuesday. Will not be in v16.

Daniel

Appendix with updated table and description will be received by end of day

Tim

Background section is complete

Highlight boxes in XACML Context section complete

Figure 1: update complete

Section 4: label two "Target" sections will be complete

Background references into document references complete

Eliminate description of rule digest and designator (was under Hal's name)

Anne

Will take another look at it today and email Tim if needs revision

Update extensibility for J2SE.

Looked over current schema in light of J2SE requirements and posted points of extensibility that are important.

Will not rewrite for this version but may take a look again at it after 16

Generate list of schema elements - did it alphabetically and posted to list 8/14

Bill

Will update UML diagram by Friday

Simon

Section 5 and 7 posted

Michiharu

Update SAML Profile XSLT - Will be completed by tomorrow morning

Can describe in words but to do transformation need request and response context. API does not provide to documents as input to processor.

Should we add subject information into response context to make transformation to SAML easier? Decision is to to assume higher level XML document that contains both request and response context to perform transformation.

Usage examples for XPATH - not critical for 16.

Convert XSLT to minimal for used for conformance cases

Someone may produce a response with status information and want to be able to compare response to minimum required response, want XSLT that removes everything but minimum required response. Lower priority for conformance test, not for v16.

Polar

Combining algorithms were posted

 

10:41 Vote on subject attribute designator semantics

Three proposals from Polar, Michiharu and Simon

Proposal Simon-1: Matches always end and new element call SubjectAttributeWhere that will have a sequence of matches as children and passed to Apply Function. Has been included in the schema 16f.

Polar's proposal - recursive definition, more difficult to understand

Voted to accept Simon-1 proposal as included in 16f

 

10:46 Schema 16f Proposed Changes

Voted to accept change request from Anne:

Add an identifier for an Action Attribute that means that the Action to be performed is contained in or implied by the name of the Resource.

In context-16f.xsd, the AttributeValue element does not have a DataType xml attribute. 

Issue in the attribute be optional rather than required.

Spell check: "FufillOn" - Either 2 L's or 1 L is correct, but 2 L's is preferred spelling. Propose go with 2 L's.

Voted to accept change requests from Simon:

Issuer of Attribute is xs:string. URI is not appropriate.

Typo in schema. Action element reference in Target (was not a global element)

Syntax Change - PolicyIdReference, PolicySetIdReference to include other policies in policy set rather than PolicyId and PolicySetId. Currently just an URI but may want to define an element.

Typo in schema. DataType attribute for AttributeSelector

Pass <SubjectAttributeDesignator> as an argument to <Apply>. Gives more flexibility if don't care about matches. Has helped with conformance tests.

 

 

Simon can publish a 16g schema with these changes. Simon's section 5 revisions and examples includes these changes for v16 of spec.

 

Next TC call will meet a week from today

Schedule Issues list for Monday Call

 

11:00 Meeting Adjourned.