Minutes of F2F 28-29 April (Ottawa)

[Bill Parducci <bparducci@gluecode.com>]

April 28, 2005

Attendees:
Simon Godik
Anne Anderson
Erik Rissanen
Frank Siebenlist
Tim Moses
Bill Parducci
Srinivas Sridhara
Michiharu Kudo

Nokia Use Case
-------------

Srinivas Sridhara presented a use case re: configuring device
access profiles to investigate if XACML my be capable of meeting device
access control requirements.

The core requirement is the desire that non-static access control
statements be provided to the device. This is based on the requirement
that the device not have to perform and external query for each access
request (performance purposes).

It was proposed that the device make an initial policy query, receive an
XACML policy and evaluate decisions locally. It was also suggested that
policy(set) deployment itself be protected by an XACML policy.

Since such an application (PDP/PEP on device) has a high device resource
constraint this model would likely require an optimized PDP that
provides a subset of overall XACML evaluation. This is consistent with
the very specific needs of the device.

Srinivas will notify the TC in approximately 30 days if this approach is
seen to meet the Use Case requirements sufficiently to warrant further
investigation (possibly a "mobile profile", etc.)


Delegation/Administration
------------------------

The group first began a discussion aimed at creating a common
syntax/framework from which to build the model moving forward.

Erik reviewed his proposal (based on XACML v1.1)

<Policy>
  <Issuer="moo">
   <Target>
    <Subject>alice</>  **Situation
    <Action>read</>    **Situation
    <Resource>X</>     **Situation
    <Delegate>foo</>
   </Target>

Syntactically the above reads: "moo SAYS foo SPEAKS on Situation"
(matching the Subject/Action/Resource).

alternatively:

"moo DELEGATES foo to SPEAK on Situation" (matching the
Subject/Action/Resource).

Frank reviewed his proposal (and will post notes to list). Erik raised a
concern that Delegatee constraints may break this model. Simon suggested
that this is not the case. Further discussion tabled following review of
Tim's proposal.

Tim presented his proposal (pseudo code example).

The general consensus is that there will not be NEGATIVE
_administrative_ policies.

<<lunch>>

Frank reviewed key points from his delegation proposal:

1. Attribute Sets in Request Context - there must be a Request Context
    processing step that resolves delegation.

    Erik, Anne suggest that this may be handled by an extended Subject
    attribute ("Delegate") and processed in the Context Handler.

    Simon, Frank proofer that this is not possible because the
    relationship between Issuer and Subject is unknown in the Context
    Handler w/o resolution so Issuer/Subject.

    All agree that Delegatee must be defined in the Policy Target.

2. Issuer in Policy NOT xacml:AttributeValueType

    Frank suggests that this format be the same as that for the Request
    Context: xacml-context:AttributeType. this lead to the proposal for
    "wiring" Issuer attributes into the Request Context.

3. Leave Target elements free - define "context semantics"

    Frank reviewed his concept of the SuperRequestContext where Issuer
    attributes may be wired into the Request Context. This initiated a
    discussion on generalizing Target semantics based on the need for
    creating Delagatees and issues with Subject Categories.

4. PDP reference as Policy - how?

    How can a Policy refer to an external PDP for evaluation? Frank
    offered the creation of an EPR (End Point Reference) that is
    policy that is processed using normal target matching mechanisms, but
    resolves uri (which would be passed the appropriate attributes and
    then would return a result).

5. Policy statements in separate envelope in Request Context



6. alpha-id "issue" - do we need "real" identity attributes?

    xacml-context:Issuer must have one or more Identity Attributes (vs.
    "non-Identity" Attributes).

    Erik suggested that Identity Attributes could be handled by
    differentiation in the global definition of the SuperRequestContext
    w/o differentiating Attribute types.

    Anne proposed the following structure for the Attribute List:
    "urn:oasis:xacml:tc:attr:identity"
     <AttrList>
       <Attribute AttributeId="foo" DataType="x500Name">
         cn=Anne,o=sun
       </Attribute>
       <Attribute AttributeId="foo:role">
        <AttributeValue>X</AttributeValue>
       </Attribute>
       <Attribute AttributeId="foo:identity">
        ...
    </AttrList>

    <Policy>
     <Issuer>
       <Attribute AttributeId="foo" DataType="x500Name">
         cn=Anne,o=sun
       </Attribute>
      ...

7. Maximum delegation depth passed in Request Context
    Frank proposed that the maximum delegation depth should be passed in
    the Request Context and back.

8. Alternate Owner-Policy-Statement to determine sentinel

    Frank proposed that the anchor point authority for PDPs are
    independent.

9. Backwards compatibility?
    Frank asked if there be a mapping of XACML 2.0 Request Context to the
    structures being discussed now?

10. Obligations
     Obligations are not considered as part of Administration Policies
     until such time as a Use Case is presented.


A discussion on the timing and dependencies of the Delegation,
Administrative and Generalization discussions lead Anne to propose that
XACML 3.0 be composed of a core specfication and separate extension
specfications be developed for Generalization and
Delegation/Administration. There was general consensus for this, but it
will require three concurrent documents to be edited. Tim has therefore
asked for editorial support. Erik offered that he would have time to
work with the Delegation spec after two weeks.

<< call made to bridge line - 4:00pm EST>>

Erik reviewed his propsoal for Delegation Constraints.

{Admin Policy}
<Issuer>Alice
  <Target>
   <Subject>
   <Action>
   <Resource>
   <Delegate>Bob</>
  </Target>

{Admin Policy}
<Issuer>Bob
  <Target>
   <Subject>
   <Action>
   <Resource>
   <Delegate>Charlie</>
  </Target>

{Access policy}
<Issuer>Charlie
  <Target>
   <Subject>
   <Action>
   <Resource>
  </Target>

Chaining is dervied by using Rules that refer to Issuer Targets.

In the above example, it may be the case that Alice wants to constrain
Charlie as an allowed issuer of the access policy. Erik suggested
another Target element for this purpose, but Tim and others pointed out
that policies are indexed based on target elements, so the target is not
the appropriate place for the contraint. Simon proposed to use a
condition for the purpose. Erik agreed with this, provided the required
information of the full chain is available in the administrative request
and it is possible to write a condition that applies to each issuer in
the chain separately.

+++

April 29, 2005

Attendees:
Simon Godik
Anne Anderson
Erik Rissanen
Tim Moses
Bill Parducci
Srinivas Sridhara
Michiharu Kudo


Day 1 Review
------------

In reviewing the "core + extension" document approach raised yesterday
during the Delegate schema discussion, Michiharu raised the concern that
Target(s,a,r) is well understood and widely used and that while
extensions need to be made to handle Delegate, departing from  current
model will cause compatibility issues.

Simon offered that a "constraint language definition" with an access
control specification that provides a normative expression of the
current Target model extending a core constraining language would
address Michiharu's concerns while providing backwards compatibility.

Tim has offered to act as Editor for the Core and Conclusion documents,
while Erik will take the lead on the Delegation document pending
approval. Anne offered to provide editorial assistance.

Delegation, part 2.
-------------------

Erik raised the issue of Attribute resolution timing. The consensus was
that the temporal aspects of resolution of Policy Issuer Attributes will
NOT be XACML specified and this will be an implementation issue.


Conclusions
-----------

Simon reviewed the Conclusion proposal that Bill posted to the list.
Anne raised the issue of whether all Imperative Families would need to
be addressed in all Rules (case of missing Imperatives in a Combiner).
Michiharu raised the question of how many Families. Bill offered
encryption, routing (QoS) and filter application and that the Conclusion
mechanism provides a mechanism to qualify decision attributes not
currently possible with Obligations (e.g. "3DES" take precedence over
"homegrown" over "plain" encryption).


Example of an overarching encryption Imperative:

R1: If Subject(Michiharu)
     C1: Permit
     C2: Plain

R2: If Subject(any, Internet)
     C1; Permit
     C2: TLS

where there are two Families:
  Access(Permit, Deny, Permit-overrides)
  Encryption(TLS, plain, TLS-overrides)

If Subject = Michiharu with an Attribute = "Internet", the resolution
follows:

Subject = Michiharu --> Permit, Plain

Subject = Michiharu with an Attribute = "Internet"  --> Permit, TLS

Access Family combines to Permit.
Encryption Family combines to TLS.

Decision = Permit, TLS

Michiharu has asked that other detailed examples be posted to the list.

Bill offered that Imperatives differ from Obligations in that the latter
is handled under a "Best Effort" basis (possibly dealt with after
access is granted/denied), while Imperatives are handled as part of the 
enforcement action and therefore MUST be performed.

Anne suggested that it would be valuable to be able to point to
information couched in the Request as part of an Imperative and that
this has been difficult to address with Obligations in the past.

The concept of Imperative sequencing was discussed. For the case of
sequences that span Imperative Families, Bill offered that the
evaluation sequence for the Policy combiner could be used to imply 
decision/enforcement sequence; this has the side effect of forcing 
evaluation order to always match Imperative sequence. Simon suggested 
that additional meta data may need to be introduced and that it might be 
best to force all sequences to be part of a single Family to avoid 
conflicts.

Michiharu raised the question of backwards compatibility with
Obligations. Bill suggested that Obligations still provide value in the
Policy structure in that Imperatives in XACML are only valid in the
context of granting access where Obligations provide an asynchronous
mechanism (e.g. Permit + "I:quarantine" vs. "O:discard after 10 days in
quarantine"). Therefore he suggested that Obligations not be removed (as 
proposed in the original Generlization document).

The general consensus is that Conclusions have significant potential in 
providing more powerful/precise access control decisions and should be 
pursued further.

Michiharu offered that he will work on options to achieving the
approaches discussed with less impact on the v2.0 schema.


PEP/PDP Communication
---------------------

Michiharu expressed interest in a previous discussion re: the concept
that XACML does not currently support the query, "What are my
permissions?" Erik suggested that this is a valuable functionality. Tim
suggested that this may also be extended to querying PEPs to determine
what Imperative/Families are supported.

Simon suggested that the question, "PDP: Here is a Target, what do I
do?," is as valuable as the current XACML query, "PDP: Here is a Target,
can I...?" and that the former query addresses Tim's "message gateway" 
Use Case.

meeting adjourned.