OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Minutes of 5 August 2004 XACML TC Meeting - REVISED


Attendees:
Bill Parducci
Anne Anderson
Hal Lockhart
Ron Jacobson
Ed Coyne
Simon Godik
Daniel Engovatov
Seth Proctor
Steve Anderson

Quorum reached.

Agenda:

I. Minutes from 8 July and 22 July meetings voted upon:

    Corrections: none
    Approved unanimously.

II. XACML XML DSig Profile - Anne

  a. Canonicalization
     PROPOSAL: rewrite the XACML XML DSig Profile to say "XACML
     RECOMMENDS encapsulating XACML schema instances in SAML Queries and
     Assertions as described in the XACML Profile for SAML 2.0, and
     signing the SAML instance according to the SAML digital signature
     mechanisms." and then listing various canonicalization issues that
     SHOULD be addressed (taken from the UDDI TC's "Schema-Centric
     Canonicalization" Committee Draft), but not make any recommendation
     about how to resolve them.

     Decision: APPROVED

  b. Signatures on referenced PolicySets and Policies

     PROPOSAL: (Go back to) allow an optional Name="Hash"
     Type="xml:hexBinary"? XML attribute in a <PolicyIdReference> or
     <PolicySetIdReference>, specified as MD5-SHA1 (or some other
     specific algorithm) for interoperability.

     Seth: the addition of the Version element allows for retrieval of a
           specific version

     Hal: Prefer using SHA1 for consistency.

     Anne: OK. Will create a profile.

     Hal: Schema change needs to be made.

     Simon: When hash is computed, do you apply canonicalization? How?

     TC: This is a non-trivial issue.

     Decision: REJECTED

III. XACML RBAC Profile - Anne

   There are issues with RBAC concerning dynamic separation of duty.
   There is a solution but it doesn't fit with current hierarchical
   model. Since the solution has been presented by a non-member Anne will
   perform a literature search to check for potential IP issues.

IV. XACML Profile for Request for Multiple Resources - Anne

   TC please review. Current version has a new scope value called
   EntireHierarchy for requesting an entire hierarchy atomically.

V. Privacy policy profile of XACML

   TC please review.

VI. XACML Profile for SAML 2.0 - Anne

   a. Need to map each of our error status cases to one of these.  Or "as
      long as there is an XACML <result>, then it is Success".
      ACTION ITEM: Anne to post proposed mappings.

   b. Decision validity period SHALL be consistent with validity periods
      of inputs to the decision.  Remaining constraints not needed.

VII. XACML Profile for Hierarchical Resources - Anne, Daniel

   PROPOSAL: Anne proposes that the XACML Profile for Hierarchical
   Resources not define a special URI for this mechanism.  If an
   implementation needs an identifier to indicate that it supports these
   Attributes, then the URIs of the Attributes themselves could be used
   for this purpose.

   Daniel: Concerned that there should be a URI so that there is some way
           to advertise the ability to support hierarchical resources.

   Hal:    there isn't a mechanism for conformance advertisement

   Anne:   that is why general URIs were added, in case revisit in the
           future.

VIII. Delegation - Simon

   Simon: Request an extension.

   Hal:   Can it be moved forward independently of v2 specification?

   Simon: Not considering an extension of the core specification
         (Issuer), so may proceed without holding up v2 progress.

IX. General Business

  a. Timing

     Hal: Tentative proposal to being two week internal review starting
          the first plenary meeting of September.

     Simon: is there still room then for consideration of work in
            progress?

     TC: Yes.

     Simon will post a proposal for delegation ASAP.

  b. Oasis IPR Policy

     Oasis has a new Draft by the IPR policy that significantly affects
     Individual members.  TC please review to determine the effect on
     respective member organizations.

Meeting adjourned.

b

To unsubscribe from this mailing list (and be removed from the roster of 
the OASIS TC), go to 
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]