OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes of 10 November 2005 TC Meeting

Minutes of OASIS XACML TC Meeting
10am EDT, 11 November 2005

Agenda:

1. Roll Call and Agenda Review

   ATTENDEES:
   Anne Anderson
   David Staggs
   Hal Lockhart
   Seth Proctor
   Argyn Kuketayev
   Tim Moses
   Bill Parducci
   Michiharu Kudo
   Erik Rissanen
   Ron Williams

   Abbie Barbir (prospective member)

   Quorum was achieved.

-. Change of schedule

   UNANIMOUS APPROVAL: skip meeting on 24 November 2005 due to
   U.S. holiday.  Next meeting will be 8 December.

-. Announcements

   ASTM Health Care Informatics WG: Hal Lockhart and David Staggs
   attended ASTM Health Care Informatics Working Group meeting
   earlier this week; XACML is a key component of the
   architecture, which is based on RBAC.  David Staggs will send
   links to relevant ASTM documents.

   ITU-T: Abbie Barbir reported on status: XACML v2 (core and
   SAML) submitted to ITU-T.  Process now between OASIS and
   ITU-T, but TC will be kept informed.  Nickname is X.WebSec-2.
   Earliest approval as ITU "Recommendation" would be in April
   2006.  Abbie and Hal will have to reformat the documents to
   conform to ITU conventions; normative text will not change.

   Potential XPath support issue with the ITU-T approval: will
   need to change to a standard recognized by ITU.

   [ACTION ITEM: Michiharu] look at impact of this to XACML's
   usage.  XPath and XQuery are not in final call.

-. Vote on approval of minutes from October 27
   http://lists.oasis-open.org/archives/xacml/200510/msg00022.html

   UNANIMOUS APPROVAL.

-. Delegation
   Right to revoke
   http://lists.oasis-open.org/archives/xacml/200510/msg00025.html
   http://wiki.oasis-open.org/xacml/RightToRevoke

   Now have control over who may issue a policy, but not over who
   may revoke a policy.  Affects use of "historic attributes"
   (i.e. attribute values at time policy was created rather than
   at time request is received).  Erik has proposed a couple of
   models: one is "if you could have issued this policy, you can
   revoke it".  Issues: format for revocation; processing model
   for verifying that revocation is valid.  Hal brought up issues
   of timing, ignorance (not aware of a valid revocation).
   Another model says issuer can revoke issuer's own policies;
   Erik says this does not work well with historic attributes.

   F2F proposed use of either historic attributes or current
   attributes, but not mixed.  WIKI page above has discussion.

   Request to revoke would reference policy id as the resource,
   but does not reference the policy's situation.  Means need
   unique ids for policies; Erik resolved by combining issuer
   with id.

   Reduction of Deny
   http://lists.oasis-open.org/archives/xacml/200510/msg00026.html

   There is an old WIKI plus this new message.  Issue: now when
   access policy says "Deny", it is reduced the same way as
   "Permit".  Admin policies must be "Permit"; too complex to
   support "Deny" at this level and no good use case.  Probably
   need to make "Effect" part of the situation (general
   agreement).  If someone else has "Permitted", can your "Deny"
   override that?  Or if you have "Denied", can someone else
   override it with a "Permit"?

   Ron Williams proposed policy evaluation model might need to
   specify whether it supports mixed model or not; PDP
   "meta-policy".  Erik says could probably be implemented by
   using permit-overrides combining algorithm; more complicated
   if want to allow "Deny" in some cases, but possibly
   supportable with combining algorithm parameters.

   APPROVED: include "Effect" in situation in next draft.

   [ACTION ITEM: Ron Williams] post a couple of simple use cases.

   Authz discussion (Erik, Frank)
   http://lists.oasis-open.org/archives/xacml/200511/msg00001.html

   Summary: how to pass extra attributes and policies (for
   potential future delegates) to PDP.  These are provided in
   initial request, but will be used during later phases of the
   reduction.  Frank proposes RequestContext include new section
   for "Entities" (actual name TBD).  Matching on delegate
   attributes should include both Delegate section and any Entity
   section that includes that delegate's identity.  Other option
   is to have such attributes passed separately from the Request,
   but serves as a pool for populating Delegate sections later.
   Neater to reference just Delegate section rather than having
   PDP check two locations.

-. Issues
   Delegation
   http://lists.oasis-open.org/archives/xacml/200510/msg00026.html

   [previously discussed: reduction of deny]

   Issue #3
   http://lists.oasis-open.org/archives/xacml/200510/msg00023.html

   Daniel's open context syntax proposal.  No submission yet.

-. General
   XACML referenced paper
   http://lists.oasis-open.org/archives/xacml/200511/msg00005.html

The meeting adjourned at 10:58.

Anne Anderson

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]