[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Amended minutes of XACML TC Meeting of May 1, 2003
|
Attendees: (voting members) Michiharu Kudo, Anne Anderson, Steve Crocker, -- scribe Simon Godik, Bill Parducci, Hal Lockhart, Steve Anderson, Daniel Engovatov, Tim Moses. (prospective member) Frank Siebenlist scribe: Steve Crocker Quorum was reached. Meeting
brought to order. 1) Hal reported on his talk at the Network Applications Consortium (NAC) Spring Meeting. NAC is a
meeting of senior technical people (architects, etc.).
Organizations may not join so marketing 'spin' is kept to a minimum. This year's two day meeting was centered around the theme of moving authorization into the infrastructure. Three real world scenarios were posed to six vendors, of which Hal was the one who covered XACML and SAML. The
vendors spoke on the topic of how their products would address the three scenarios. A lot of interest was shown in the standardized access control languages. Some discussion took
place on what level of granularity should be covered by WAM (Web Access Method?) products. Vendors tended to a course grain approach, Hal advocated a fine grain use. Hal reported the Burton Group lead a discussion on standardized API's for authorization at NAC. That
led to a brief discussion in our phone meeting on api's. Mention was
made of GARP API, the Open Group API, SAML authorization decision request as an API, and the Global Grid Forum. Frank said he worked in
the same group as Cliff Newman of the GARP API but more promise now lies with the Global Grid Forum. Frank is going to send pointers and summary information on the Grid api system and its concentration on port types. In summary, Hal reported that there was a "large appetite"
for something like XACML and over the couple few years we can look forward to wide adoption of XACML. 2) listed in the April 17th meeting notes. Item A: Fully specify
hierarchical resources Simon got no feedback yet
on his writeup. Comments from Seth Proctor got waylaid but
will be forwarded by Anne. Simon and Hal clarified that the intended
use of hierarchical resources is in the specification of a policy's
target (e.g. this policy applies to all objects under this node in
a tree), not in the specification of a request (e.g. a single
request can not ask for authorization of an action for all objects
under a node in the tree). solutions to the work
items. Item I: Add an ID Attribute so can reference elements easily for use with Digital
Signatures Simon proposes an XPath ID
type as a candidate for this attribute type. He is proposing changing the an anyURI type
to a type ID. There was some discussion
about issues of signing a policy when the policy contains references
to XML. Item B: Deterministic algorithm
for combining obligations Item G: Obligations in Rule
Element Michiharu-- items B and G
are not yet done. On item G, he wants to hear more on extensions to
obligations. Item E: Condition References Item F: Properties for
Conditions Michiharu-- first proposals
for these items have been posted. Item C: References to Rules. Anne will repost the
proposal for more comments. It seems to have been lost in the
flurry. Item H: Define any elements
needed in the XACML schema for use by a Digital Signature
envelope for XACML Anne stated that this is
dropped, the SAML attribute is sufficient. Simon and Anne had a
discussion on why then do we need the ID attribute (Item I)? Anne-- When you sign the
top policy in SAML, you need references to the policies. Simon-- The example in the
Digital Signature document shows you how to sign with a manifest. Anne-- The issue is that
when dereferencing a policyID, you may get a different policy. Various opinions on whether
or not digital signatures were too complex to be widely adopted and
useful were briefly discussed. 3) Work Items beyond XACML 1.1 a) Approaches for Policy combination, reduction
and compilation. The comments by Maryann
Hondo and Tony Nadalin have not been received. General consensus (no vote)
was obtained that we've agreed to the high level architecture of
this proposal and we'll move forward with fleshing out the
details. Tim discussed his writeup in
terms of three items: 1) version 4 of the use
cases. 2) an algorithm for
combining/merging policies into one policy. 3) a map from WSDL services
and ports to XACML components. (see the attachment to Tim's mail of
Tim explained the mapping
from WSPL to XACML briefly as summarized here: A WSDL service or port maps
to an XACML PolicySet (PS) with a resource specifying the
service or port and an action specifying the operation. Each aspect of policy for
the service or port maps to a distinct Policy under the PS. E.g. reliable-messaging maps to one policy,
cryptographic security to another policy
and privacy to a third policy. These policies are included in
the PS as a conjuction (by a deny-overrides algorithm). These policies combine their rules as a
disjuction (using a permit-overrides
algorithm). The condition in each rule
must be a conjunction of predicates. Feedback was it will need
to be more readable, perhaps by starting with an example. The version of WSDL
referenced needs to be clearly stated as there are some significant changes
between the last and next versions of WSDL. A target date was set for
when we vote for submission of this spec as a standard. We'll vote on it at the last general body
meeting in September. Meeting was adjorned. Next weeks focus group adjenda is a return back to 1.1 work items.
Namely: 1) Hierarchical resources proposal 2) attribute ID's 3) other items. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]