OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes of July 21 2004 XACML TC Meeting


Tim Moses
Bill Parducci (minutes)
Tony Nadalin
Hal Lockhart
Erik Rissanen
David Staggs
Ron Williams

Quorum reached (80% per Kavi)


I.   Minutes from July 7 meeting voted upon:
      Approved unanimously
      No objections

II.  Delegation (Issuer)
      Naming of Subject of administrative Policy. Tim suggests Issuer is
      the appropriate name. Ron offered that Delegate is more accurate
      (on list). Tim countered that Delegate would include access Subject
      and this is more general in its 'ordinary' use. Others asked to
      weigh in.

      Hal noted that the term "Pending Policy" is an interesting term to
      describe a Policy that has not been fully evaluated in the decision
      chain (temporal description).

      Ron raised concern about increasing complexity in model via the
      introduction of increased semantics and that this will ultimately
      reduce flexibility in the model.

      Hal also noted that the term "Administrative Policy" is also
      appears to effective semantic in the delegation model. Both Tim and
      Erik are currently using this term.

III. Hypothetical Queries
      HQ: Given a Subject to what Targets is access authorized?
      HQ: Given a Target what Subjects are authorized to access?

      Hal asked how this would be addressed by XACML? Could this be
      handled via partial evaluation (non-enumerated). Ron stated that he
      is not addressing computational efficiency, but that a general case
      should allow such questions to be allowable despite some
      systems' inability to address the problem realistically.

      Daniel suggested that this issue can be addressed attribute
      manipulation.  Bill stated that it may be possible to answer
      first HQ above, but not second because current implementation is
      limited to Permit|Deny response. Daniel's position is that "who" is
      not defined within the system, Subjects are just a collection of
      attributes. Ron offered that an audit process may wish to access
      for listing of all Subjects that can access a particular Target.
      Hal suggested that there are two ways to address this: partial
      evaluation (query attribute limitation); limited scope of request
      (PDP constraint).

      David offered that XML processing would be inefficient for
      addressing this type of processing. Hal suggested that
      optimization strategies include non internal XML representation and
      localized PDP/PEP processing.

      Anne offered that there are academic references on the TC website
      that may provide insight on the subject.

III. Work Items
      No significant updates to Work Item list

IV. General

      Bill will post to the list when there is an update to the wiki

      The Chair has asked for volunteers to consider hosting the next
      F2F. The tentative date is some time in September.

meeting adjourned.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]