RE: [xacml] DRAFT minutes from F2F (amended)

["Daniel Engovatov" <dengovatov@bea.com>]

I detect a loop.  :)

#29: includes #38
#30 : is related to #29 & #38 and will be discussed in the context of
these issues.
#38: Covered in #30. Deferred pending outcome of #30

Will have to check what was what we discussed (maybe third amendment of
minutes should include some brief description of the topic. :)

-----Original Message-----
From: Bill Parducci [mailto:bill.parducci@overxeer.com] 
Sent: Saturday, October 25, 2003 5:28 PM
To: XACML TC
Subject: [xacml] DRAFT minutes from F2F (amended)


F2F Meeting - Oct. 20, 2003 - BEA, San Jose

Attendance:
Frank Siebenlist
Anne Anderson
Tim Moses
Polar Humenn
Daniel Engovatov
Bill Parducci
Michiharu Kudo
Michael McIntosh
Anthony Nadalin
MaryAnn Hondo
Jacques Durand
Hal Lockhart

Reviewed Work Items:
(minutes refer to discussion topics by Work Item number)

2. Seth will now Champion for the clarified version of this WI. It
refers to information needed to configure a PDP, included either in a
Request, in a Policy, or possibly in a 3rd document type.

A new item(#41) has been created to cover generalizing classification of
entities and declaration (third schema to represent?)  Daniel will
address this by Nov. 3.

7. Proposes that condition references to be used to allow for reuse of
conditions. Limited to conditions within the same policy. Proposal is
fairly complete and is ready for review and decision.

Provide the rationale:
"reuse of conditions in Rules that may have different Targets."

8. Proposes that rule references to be used to allow for reuse of rules.
May span across policies. This implies that the rule becomes the lowest
administrative unit. This is dependent upon the decision of #19.
Decision of the group is that #19 is not needed since the use case may
be resolved having policies containing single rules. Therefore this item
is closed as well.

9. Proposes extended syntax to address hierarchical Subject, Actions and
Resources.  Concern is that it is Resource specific and that it may be
difficult to address the intricacies of any given Resource domain. It
was decided that hierarchical polices and hierarchical requests (new WI,
#42) be split apart for discussion and consideration.

10. Proposes extended syntax for Combining Algorithms to allow for the
influence of rule combination evaluation by parameters of the rules
themselves. There is general agreement on the value of this approach,
however it is not thought to be widely required. Therefore the feeling
is that this should be handled via an extension point added to the
schema. This WI is therefore closed and the topic taken up in #11.

12. Proposes environment attributes for Target. VOTE: approve as
proposed - 8 FOR, 1 Abstain (Daniel, pending discussion of function
extensions). Closed.

16. Determined that this doesn't introduce anything new to
specification. Closed.

17. Determined that this doesn't introduce anything new to
specification. Closed.

19. Closed in junction with discussion of #8.

26. Closed because there is not a strong use case for the XACML 2.0 time
frame and it would be difficult to implement due to semantic
complexities.

29. Proposes delegation of policy evaluation and combination with the
constraint that authorization assertions be passed with requests from
remote (trusted) systems. The scope of the problem is not fully
understood by the group and the proposal was made to pursue
administrative policy solutions first, then return to this issue. Also
includes #38 (placing conditionson members of the delegation chain for
operating on policies.)

30. Proposed that policy may be passed with an access request. There
isconcern that this will create issues with combinations of other
applicable policies. It has been suggested that there the use case may
be addressed by making remote PAP accessible to local PDP. This
mechanism is related to #29 & #38 and will be discussed in the context
of these issues.

35. Proposes that there is policy specifically developed to cover the
return of missing attributes in decisions with Not Applicable results.
It has been suggested that this is covered by the current specification.
Documentation that details how this may be treated in XACML needs to
begenerated.

36. Proposes that PDP have formally defined access control mechanism to
downstream PDPs. This is not consistent with what was generally
understood by the group from the original WI. There is concern that the
scope of this problem is outside of what is practically addressable in
XACML. Further clarification is necessary. This will likely tie into the
discussion of #29, #30 & #38.

37. Proposes a shorthand model for passing multiple elements. Deferred
until tomorrow (rest of group arrives).

38. Covered in #30. Deferred pending outcome of #30.

40. Proposes a general Policy Assertion and
Policy Query in SAML.  Two non-conflicting proposals: one creates an
XACML PolicyStatement and XACML PolicyQuery, while other one creates a
SAML PolicyStatement and PolicyQuery, from which the XACML-specific
forms would be derived. This will be discussed further on the e-mail
list.

+++

F2F Meeting - Oct. 21, 2003 - BEA, San Jose

Attendance:
Frank Siebenlist
Anne Anderson
Tim Moses
Polar Humenn
Daniel Engovatov
Simon Godik
Bill Parducci
Michiharu Kudo
Michael McIntosh
Rebekah Lepro
Hal Lockhart
Steve Anderson

Reviewed the discussions of Monday's meeting.

Anne provided a historical review of derivation of single attributevalue
model in current spec.

(minutes refer to discussion topics by Work Item number)

37. Based on the general belief that this proposal will not affect XPath
attribute queries, the consensus is that this item be approved pending
further clarification (cardinality & descriptive schema changes).
Rebekah will provide a first pass at the changes for the Editor.

Hierarchical authorization issues:

9. Resources - If you want to support request that specify the
resourceas a hierarchy (specifically, XML), there must be instance at
request. Wildcards are allowed in policies about hierarchical entities.

42. Requests - hierarchical resource requests MUST use the "scope"
attribute when intentionally requesting resources with subordinate
datamembers (vs. using /* in an XPath expression). Clarification is
required to define how responses for situations where hierarchical
resources without descendants are queried for descendant access.

Policy Administration:

A number of proposals were discussed, however no clear solution arose as
the majority of the session involved the expression of the requirements.

A higher order requirement proposed by Frank is the ability to evaluate
policies taking into consideration "admin" of the policy to allow for
policy chain decisions.

+++

F2F Meeting - Oct. 22, 2003 - BEA, San Jose

Attendance:
Frank Siebenlist
Anne Anderson
Tim Moses
Polar Humenn
Simon Godik
Bill Parducci
Michael McIntosh
Rebekah Lepro
Hal Lockhart
Steve Anderson
Anthony Nadalin
MaryAnn Hondo
Jacques Durand

Reviewed the discussions of Tuesday's meeting.

Anne reviewed her Administrative Policy proposal. Frank's and Polar will
post their respective AP proposals to the mailing list.

Anne & Tim proposed that the XACML TC continue its work on the current
WSPL proposal, focusing on the authorization policy constraints of
WebServices. The premise is that this work adopt/integrate the efforts
of proposed policy advertising committees as (as yet undefined in Oasis
& W3C). Until such time the group would provide examples of how this
mechanism would work; the intent of the group is that this non-normative
output would be replaced/merged with forthcoming standards in this area.

Scope of proposed work:

1. Subset of XACML suitable for describing conditions on access control
related attributes that are: (1). required for accessing a service;
(2).available for a presentation service accessor. NORMATIVE.

2. Combining subset instances from above to determine a mutually
acceptable set of access control related attributes. NORMATIVE.

3. Examples of how such instances are associated with WSDL at message,
operation port type, etc. NON-NORMATIVE.

The group decided that this scope is acceptable and that work will
continue as defined above.

Tim reviewed an approach for LDAP storage of policies to address
many-to-many PDP/PAP relationships.  The topic was also raised as to
whether remote policy requests should be considered.




To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgro
up.php.