[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: updated minutes from Sept 18 2003 meeting
In Attendance: Anne Anderson Steve Anderson Michiharu Kudo Hal Lockhart Tony Nadalin Seth Proctor Frank Siebenlist Quorum was reached. Hal started by addressing some administrative issues: 1. Called the group's attention to the new TC process which has been approved. Of particular interest is the 20% requirement for standard approval (SAML 1.1 barely got 10%), though this is likely to change. Also, the attestation rules were changed so parties must be satisfied with IPR.  2. We approved the revised minutes from the September 4th meeting 3. Bill and Hal will both be unavailable for the October 2nd meeting, so a temporary chair is needed. Anne Anderson volunteered. 4. We agreed that the F2F will be October 20th (starting at noon) to October 22nd (ending at noon) at BEA in San Jose. Note that SAML will be meeting later that week, though not at BEA. ITU Submission: Hal met two weeks ago with Karl Best and ITU reps. The ITU is interested in SAML and XACML, but only in specifications that have gone through the full process (i.e., are ratified OASIS Standards). The ITU will not change the content of the specifications that they take, and they will automatically take follow-on versions. OASIS can submit XACML 1.0 if they like, but they wanted feedback from the TC first. Tony asked what the value is, and the answer was that XACML becomes a formal ITU spec that makes it available to a number of groups (especially in government). It also gets more people to review the spec and provide comments. Tony asked how we encorporate those comments, and the answer was that we try to get them into 2.0. Hal raised the issue of what to submit (which was discussed on this list previously), and suggested that we go with 1.0 now and then figure out what else we'd like to push (i.e., 1.1 versus 2.0...ratifying 1.1 may be hard simply because we may not have 3 attestations). Frank asked how long the process will take. Hal said we don't know, since this is all new. Tony commented that this creates duplicate copies that have to be mainted, and wondered if we could address the question of groups that can't use OASIS specs rather than duplicating the XACML specs. Hal asked for a movement, and Anne moved that we submit 1.0. There were 6 yes votes with Tony abstaining. We will submit 1.0 Results of SAML/XACML F2F: Anne prestented the results of the work done at the SSTC F2F. We went in with 6 requirements for query/response and 5 other requirements. Anne has sent out updated requirements and what the SSTC accepted: http://lists.oasis-open.org/archives/xacml/200309/msg00039.html In a nutshell: 1. send XACML request and response in SAML query and response (respectively). This doesn't extend SubjectQuery. 2. return XACML request as part of the decision and have a flag in the query to ask for this. The request returned may not be the original request, but it must contain all attributes from the initiating request that were used in processing. 3. include in the query a way to specify if the PDP is allowed to fetch attributes from other sources. This item was dropped. 4. associate a datatype with the issuer (this was moved to the general requirements section). This led to a side discussion about the issuer and signer in SAML, and how they can be different people (which is apparently not uncommon). 5 & 6. include a policy in a response's condition, so you can say "deny unless the condition is true" and then include that policy in a query. These items were dropped. It's really about delegation, which we're not covering yet, and the other uses cases have ben covered. There was a follow-on discussion about Status Codes, where they should be included, and whether they should be optional. Hal will write a proposal for a 2.0 work item on this. General: better cooresponence between SAML and XACML attribute formats, and a new SAML PolicyQuery. On the first topic Rebekah Lepro will submit experiences and Anne will post to the SSTC list about the rationale for the XACML format; some SAML folks like the XACML format more. On the second topic, there is genral agreement to do it, but it's unclear where the work should be carried out (Hal tried to push this point at the F2F, with little success, but he has a SAML work item for this...the XACML group may write up a proposal). 4 Remaining Open Issues: status codes, which namespaces should be used for which tasks, attribute naming formats, and whether Obligations should be in the XACML response or in SAML (on this last point Hal thinks he inadvertently caused confusion, so he will clarify to the SAML folks that Obligations should be in the XACML response, and Michiharu agrees this is the right relationship) Final Discussions: Hal suggested that there are different kinds of delegation: admin (eg, who can write a policy) which we're already covering, and limited (rights delegated from one user to another) or impersonating (one person takes on the identity of another) delegation which policies can already handle. He suggested that there may be issues supporting delegation in SAML, but that at the XACML level we may already be addressing all the key issues. Anne has been writing something on this topic which she will send around. We were reminded that all proposals must be written by the F2F, so if you own a 2.0 item, get your writeups posted. Also, Frank reminded us that there's now an OGSA Authz group in the GGF, and anyone interested should subscribe to the list. Finally, Hal said that the focus group meetings would be used for complex 2.0 items, and that the next regular meeting is the last before the F2F, so an agenda should be drafted soon. seth  After the meeting we learned that the requirement for approval has been changed to 15%. Also, the attestation rules have not changed.