Re: [xacml] I have changed my mind about WSPL being in scope

[bill.parducci@overxeer.com]

While I respect Hal's position I find myself in the camp of the "simple
minded" in that I personally believe that the work done by Tim and others
(over the last six months) on the WSPL profile represents a well
structured example of XACML being applied to a practical situation (that
would be a "profile" in my world) that does not violate the spirit of the
XACML TC's charter.

As I have said on a number of occasions, I believe that specification
without application is academia and I sure hope that it is the intent of
this TC to strive for more than a mental exercise into the abstract
possibilities of access control description in XML. In more specific
terms:

"XACML is expected to address fine grained control of authorized
activities, the effect of characteristics of the access requestor, the
protocol over which the request is made, authorization based on classes of
activities, and content introspection (i.e. authorization based on both
the requestor and potentially attribute values within the target where the
values of the attributes may not be known to the policy writer). XACML is
also expected to suggest a policy authorization model to guide
implementers of the authorization mechanism."

I would be interested to know how does one "suggest a policy authorization
model to guide implementers..." without a mechanism like that proposed by
Tim for WSPL? A half dozen boxes and a few AAA model references? It is my
hope that as a group we will strive to me somewhat more relevant.

Does the WSPL profile present itself as the definitive answer to all web
services policy creation? I see no evidence of that. Is it a proposal for
how one MAY create a policy that addresses web services security while
complying with XACML policy constructs (aka "suggest a policy
authorization model to guide implementers of the authorization
mechanism")? I would say so.

Maybe I am just a naive optimist, but it seems like what we are trying to
do here with the WSPL profile is kinda the whole point of what it is that
we are trying to do here as a TC. The problem as I see it is that we
didn't change our charter or approach, but that somewhere along the line
administrivia became more important than the output of the group; I cannot
imagine this topic even being broached a year ago much less being reduced
to challenges to the oasis board and public accusations of improper
behavior. What happened?

I am not trying to attack anyone and this is not directed to any one
person, but I personally find the insistence that this specific endeavor
be directed to some sort of a new TC absurd and counterproductive. If we
don't provide an example of how XACML would work in this environment then
who would do it, some special TC dedicated to WSPL access control policy
expression (*possibly* conformant to XACML)? Is that realistic? Is it even
desirable?

I don't see the WSPL profile as an expansion of the XACML charter simply
because we are not assuming the role of sole provider of web services
policy, rather this is an example of how web services policy may be
expressed in XACML. If *that* is beyond our scope then there is something
wrong in general because I believe we will quickly find ourselves backed
into a corner whereby we will be unable to demonstrate the USEFULNESS of
our specification. Period.

I understand that we cannot have anarchy, but organizational paralysis
isn't any better and on many levels it is worse to those of us interested
in a workable standard.

b
(so much for my leave of absence :o)