[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML 2.0 Work Items, V1.5
Title: XACML 2.0 Work Items Version: 1.5 Updated: 03/08/12 (yy/mm/dd) 1. Grid Requirements Any XACML changes needed to satisfy Grid requirements STATUS: Abstract Work Item. As specific changes are identified, they will become individual work items with their own numbers, listed here. Current specific work items: #2,3,4,16,17,29,30,31,32,33,34,35 CHAMPION: Frank Siebenlist 2. Location Information Way to pass location information needed to evaluate a policy. Examples of such information are: o where to find various Attributes, o where Attribute Authorities to be used are located o where to find function, combining algorithm, data-type, Attribute parsing code Such information might be embedded in either of a. an XACML Request b. an XACML policy STATUS: potential work item. Related: #1,24. CHAMPION: Anne Anderson 3. Multiple Actions per Request Support Requests containing multiple Actions. Response could either say "All permitted/denied" or could include a separate decision for each. STATUS: potential work item. Related item#1 CHAMPION: Anne Anderson 4. Multiple Resources per Request Support Requests containing multiple Resources. Response could either say "All permitted/denied" or could include a separate decision for each. STATUS: potential work item. Related item#1 CHAMPION: Anne Anderson 5. Privacy Requirements Any XACML changes needed to satisfy Privacy requirements. STATUS: Abstract Work Item. As specific changes are identified, they will become individual work items with their own numbers, listed here. 6. Domain-specific identifiers Define a set of domain-specific identifiers based on application usage of XACML. STATUS: Postponed from 1.1. CHAMPION: Michiharu Kudo 7. ConditionReference Allow a Rule to contain a ConditionReference element as an alternative to a Condition element. The ConditionReference would identify a Condition element specified elsewhere. An optional ConditionId attribute would be added to the Condition element to support this. STATUS: Postponed from 1.1. PROPOSAL: http://lists.oasis-open.org/archives/xacml/200304/msg00039.html CHAMPION: Michiharu Kudo 8. RuleIdReference Define RuleIdReference analogous to PolicyIdReference and PolicySetIdReference. STATUS: Postponed from 1.1. Related item #19. PROPOSAL: http://lists.oasis-open.org/archives/xacml/200305/msg00004.html CHAMPION: Anne Anderson 9. Hierarchical entities How to express policies and requests that apply to a hierarchy of subjects, resources, or actions. STATUS: Postponed from 1.1. Related item#25. PROPOSALS: http://lists.oasis-open.org/archives/xacml/200304/msg00057.html http://lists.oasis-open.org/archives/xacml/200305/msg00009.html CHAMPION: Simon Godik, Anne Anderson 10. Parameters for Combining Algorithms Support an element or attribute in a PolicySet, Policy, or Rule that provides parameters to be used by a Combining Algorithm that is combining the PolicySet, Policy, or Rule. STATUS: Postponed from 1.1. PROPOSAL: http://lists.oasis-open.org/archives/xacml/200305/msg00014.html CHAMPION: Michiharu Kudo 11. XACML Extension Points Define schema extension points for XACML. This work item might solve the requirements driving several other work items. STATUS: potential work item. CHAMPION: Simon Godik 12. Environment Element in Target Allow the Target Element to include an Environment element, just as it now includes Subject, Resource, and Action elements. STATUS: Postponed from 1.1. PROPOSAL: http://lists.oasis-open.org/archives/xacml/200305/msg00012.html CHAMPION: Michiharu Kudo 13. Optional Target Elements Make Subjects, Resources, Actions elements optional in a Target. Missing element has same semantics as <Any.../> Make Target itself optional. Missing element has same semantics as a Target containing <AnySubject/>, <AnyResource/>, <AnyAction/>. STATUS: potential work item. CHAMPION: Anne Anderson 14. Signature envelope requirements Any new XACML work items to meet requirements for signature envelopes around an XACML schema instance, such as including an XACML Policy or Request in a signed SAML Assertion. STATUS: Abstract Work Item. As specific changes are identified, they will become individual work items with their own numbers, listed here. 15. Encrypted XACML schema instance requirements Any new XACML work items to meet requirements for encrypted XACML Policy or Context schema instances. STATUS: Abstract Work Item. As specific changes are identified, they will become individual work items with their own numbers, listed here. 16. XACML Policy in SAML Response Conditions Profile uses of XACML Policy instances as a syntax for specifying Conditions in a SAML Response. STATUS: potential work item. Related to item#1. CHAMPION: Anne Anderson 17. XACML Policy in SAML Request Conditions Profile use of SAML Conditions element as a way for a PEP to pass an XACML Policy to be used by the PDP in evaluating the Request. STATUS: potential work item. Related item#30,1. CHAMPION: Anne Anderson 18. Obligations in Rules Allow Rule to contain Obligations. STATUS: postponed from 1.1 PROPOSAL: http://lists.oasis-open.org/archives/xacml/200305/msg00011.html CHAMPION: Michiharu Kudo 19. Rule as lowest administrative unit Allow a Rule to be the lowest administrative unit for XACML. Probably required to support RuleIdReference. STATUS: potential work item. Related item #8. CHAMPION: Anne Anderson 20. Non-normative XACML interpretation guide Rationale, examples, possible implementation models; general information that would help XACML users know the intent of the XACML TC for the use of XACML elements. STATUS: potential work item. Probably parallel to XACML 2.0. 21. Non-normative XACML Primer Primer for XACML usage. STATUS: potential work item. Probably parallel to XACML 2.0. 22. time-in-range function Provide a function for comparing that a time of day is between two other times of day. STATUS: potential work item. PROPOSAL: http://lists.oasis-open.org/archives/xacml/200307/msg00044.html CHAMPION: Seth Proctor 23. Use XQuery comparison functions for date, time, dateTime Allow date, time, and dateTime functions to handle comparing a value with no time zone with a value with a time zone. STATUS: potential work item PROPOSAL: http://lists.oasis-open.org/archives/xacml/200307/msg00044.html CHAMPION: Seth Proctor 24. Define a schema for function declarations Define a schema for declaring the signature of a function. Probably needed with #2 if #2 includes finding parsing and evaluation code for new FunctionIds. STATUS: potential work item. Related: #2. CHAMPION: Daniel Engovatov 25. Function for comparing file system pathnames. Define a function for specifying and comparing file system pathnames used in resource-id. Possibly new DataType also. STATUS: potential work item. Related item#9. CHAMPION: Anne Anderson 26. Define policy reduction (partial evaluation) of a policy Define a process for reducing a policy based on known information, leaving only the unresolved predicates. STATUS: potential work item. CHAMPION: Anne Anderson 27. Version number element or attribute in an XACML policy. Some way of indicating the version of a policy having a particular XACML policy id, and a way of placing version constraints on a policy reference. STATUS: potential work item. CHAMPION: Seth Proctor 28. Define "current time/date/dateTime" during policy evaluation Specify whether time/date/dateTime are constant over a policy evaluation. STATUS: potential work item. PROPOSAL: http://lists.oasis-open.org/archives/xacml/200308/msg00006.html CHAMPION: Seth Proctor 29. Policy Authority Delegation The ability to associate a PDP with a particular target domain, and not just with a particular target subject, resource, and action. STATUS: potential work item. Related item#1. PROPOSAL: #1 in: http://lists.oasis-open.org/archives/xacml/200308/msg00008.html CHAMPION: Frank Siebenlist 30. Passing of explicit policy-set/policy/rule in the Authorization Decision Query This is the same as #17, except that it is more general (i.e. policy from PEP not necessarily passed in SAML Conditions), and also explicitly states that the authority to specify the policy to use has been delegated to the PEP. STATUS: potential work item. Related item#17,1 PROPOSAL: #2 in http://lists.oasis-open.org/archives/xacml/200308/msg00008.html CHAMPION: Frank Siebenlist 31. Attribute Issuer as Subject The current attribute issuer type is a string. This restriction doesn't allow one to easily point at an issuer as Subject, and it doesn't allow for any path validation that goes more than one level deep. By allowing an attribute issuer of type subject, one could cater for more complex use-cases that involve policy delegation. STATUS: potential work item. Related item#1 PROPOSAL: #3 in http://lists.oasis-open.org/archives/xacml/200308/msg00008.html CHAMPION: Frank Siebenlist 32. Standardize naming to specify policy rules for the requestor's authorization policy Provide way to specify whether the requestor's policy allows the service provider to service the request, possibly by defining "provider-subject" SubjectCategory. STATUS: potential work item. Related item#1 PROPOSAL: #4 in http://lists.oasis-open.org/archives/xacml/200308/msg00008.html CHAMPION: Frank Siebenlist 33. XACML wsdl/porttype definition for <Request>/<Response> exchange Abstract the decision request and response messages between the context handler and the PDP into a wsdl/porttype definition. STATUS: potential work item. Related item#1 PROPOSAL: #5 in http://lists.oasis-open.org/archives/xacml/200308/msg00008.html CHAMPION: Frank Siebenlist 34. porttype/operations to ask for required attributes Allow a requester to query the resource's authorization policy for the required attributes for a Target such that it "knows" which one are missing and would have to be retrieved and presented with any request. STATUS: potential work item. Related item#1 PROPOSAL: #6 in http://lists.oasis-open.org/archives/xacml/200308/msg00008.html CHAMPION: Frank Siebenlist 35. Standardize primitives to express policy to reveal missing attributes The returning of the missing attribute info is sensitive information and should itself be subject to policy. STATUS: potential work item. Related item#1 PROPOSAL: #7 in http://lists.oasis-open.org/archives/xacml/200308/msg00008.html CHAMPION: Frank Siebenlist -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]