OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: version II of Amended minutes of XACML TC meeting of May 1, 2003


This version of the minutes is unchanged from the original amended minutes except that Anthony Nadalin has been added to the list of attending members.




May 1, 2003 XACML TC Concall Meeting Minutes

(voting members)
Carlisle Adams, 
Michiharu Kudo, 
Anne Anderson, 
Steve Crocker,  -- scribe
Simon Godik, 
Bill Parducci, 
Hal Lockhart, 
Steve Anderson, 
Daniel Engovatov, 
Tim Moses,
Anthony Nadalin. 

(prospective member)
Frank Siebenlist

scribe: Steve Crocker

Quorum was reached.  Meeting brought to order.

1) Hal reported on his talk at the Network Applications Consortium
(NAC) Spring Meeting.  NAC is a meeting of senior technical people
(architects, etc.).  Organizations may not join so marketing 'spin' is
kept to a minimum. This year's two day meeting was centered around the
theme of moving authorization into the infrastructure.  Three real
world scenarios were posed to six vendors, of which Hal was the one
who covered XACML and SAML.  The vendors spoke on the topic of how
their products would address the three scenarios.

A lot of interest was shown in the standardized access control
languages.  Some discussion took place on what level of granularity
should be covered by WAM (Web Access Method?) products.  Vendors
tended to a course grain approach, Hal advocated a fine grain use.

Hal reported the Burton Group lead a discussion on standardized API's
for authorization at NAC.  That led to a brief discussion in our phone
meeting on api's.  Mention was made of GARP API, the Open Group API,
SAML authorization decision request as an API, and the Global Grid
Forum.  Frank said he worked in the same group as Cliff Newman of the
GARP API but more promise now lies with the Global Grid Forum.  Frank
is going to send pointers and summary information on the Grid api
system and its concentration on port types.

In summary, Hal reported that there was a "large appetite" for
something like XACML and over the couple few years we can look forward
to wide adoption of XACML.

2) Carlisle led us through a run down of the XACML 1.1 work items
listed in the April 17th meeting notes.

Item A:  Fully specify hierarchical resources

      Simon got no feedback yet on his writeup.  Comments from Seth
      Proctor got waylaid but will be forwarded by Anne.  Simon and Hal
      clarified that the intended use of hierarchical resources is in the
      specification of a policy's target (e.g. this policy applies to all
      objects under this node in a tree), not in the specification of a
      request (e.g. a single request can not ask for authorization of an
      action for all objects under a node in the tree).

      Carlisle reminded us we have set a May 29 deadline for agreement on
      solutions to the work items.
Item I: Add an ID Attribute so can reference elements easily for
        use with Digital Signatures

      Simon proposes an XPath ID type as a candidate for this attribute
      type.  He is proposing changing the an anyURI type to a type ID.
      There was some discussion about issues of signing a policy when the
      policy contains references to XML.

Item B:  Deterministic algorithm for combining obligations
Item G:  Obligations in Rule Element

      Michiharu-- items B and G are not yet done.  On item G, he wants to
      hear more on extensions to obligations.

Item E:  Condition References
Item F:  Properties for Conditions

      Michiharu-- first proposals for these items have been posted.

Item C:  References to Rules.

      Anne will repost the proposal for more comments.  It seems to
      have been lost in the flurry.

Item H:  Define any elements needed in the XACML schema for use by
         a Digital Signature envelope for XACML

      Anne stated that this is dropped, the SAML attribute is sufficient.
      Simon and Anne had a discussion on why then do we need the ID
      attribute (Item I)?

      Anne-- When you sign the top policy in SAML, you need references to
      the policies.
      Simon-- The example in the Digital Signature document shows you how to
      sign with a manifest.
      Anne-- The issue is that when dereferencing a policyID, you may get a
      different policy.

      Various opinions on whether or not digital signatures were too complex
      to be widely adopted and useful were briefly discussed.

3) Work Items beyond XACML 1.1

    a)  Approaches for Policy combination, reduction and compilation.

      The comments by Maryann Hondo and Tony Nadalin have not been received.
      General consensus (no vote) was obtained that we've agreed to the
      high level architecture of this proposal and we'll move forward with
      fleshing out the details.  Tim discussed his writeup in terms of three
      1) version 4 of the use cases.
      2) an algorithm for combining/merging policies into one policy.
      3) a map from WSDL services and ports to XACML components. (see the
      attachment to Tim's mail of 4/22/03.
      Tim explained the mapping from WSPL to XACML briefly as summarized
      A WSDL service or port maps to an XACML PolicySet (PS) with a
      resource specifying the service or port and an action specifying the operation.
      Each aspect of policy for the service or port maps to a distinct Policy under
      the PS.  E.g. reliable-messaging maps to one policy, cryptographic
      security to another policy and privacy to a third policy.  These
      policies are included in the PS as a conjuction (by a deny-overrides
      algorithm).  These policies combine their rules as a disjuction (using
      a permit-overrides algorithm).  The condition in each rule must be a
      conjunction of predicates.
      Feedback was it will need to be more readable, perhaps by starting
      with an example.
      The version of WSDL referenced needs to be clearly stated as there are 
      some significant changes between the last and next versions of WSDL.
      A target date was set for when we vote for submission of this spec as
      a standard.  We'll vote on it at the last general body meeting in September.

Meeting was adjorned.

Next weeks focus group adjenda is a return back to 1.1 work items. Namely:
1) Hierarchical resources proposal
2) attribute ID's
3) other items.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]