[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes of 10 November 2005 TC Meeting
Minutes of OASIS XACML TC Meeting 10am EDT, 11 November 2005 Agenda: 1. Roll Call and Agenda Review ATTENDEES: Anne Anderson David Staggs Hal Lockhart Seth Proctor Argyn Kuketayev Tim Moses Bill Parducci Michiharu Kudo Erik Rissanen Ron Williams Abbie Barbir (prospective member) Quorum was achieved. -. Change of schedule UNANIMOUS APPROVAL: skip meeting on 24 November 2005 due to U.S. holiday. Next meeting will be 8 December. -. Announcements ASTM Health Care Informatics WG: Hal Lockhart and David Staggs attended ASTM Health Care Informatics Working Group meeting earlier this week; XACML is a key component of the architecture, which is based on RBAC. David Staggs will send links to relevant ASTM documents. ITU-T: Abbie Barbir reported on status: XACML v2 (core and SAML) submitted to ITU-T. Process now between OASIS and ITU-T, but TC will be kept informed. Nickname is X.WebSec-2. Earliest approval as ITU "Recommendation" would be in April 2006. Abbie and Hal will have to reformat the documents to conform to ITU conventions; normative text will not change. Potential XPath support issue with the ITU-T approval: will need to change to a standard recognized by ITU. [ACTION ITEM: Michiharu] look at impact of this to XACML's usage. XPath and XQuery are not in final call. -. Vote on approval of minutes from October 27 http://lists.oasis-open.org/archives/xacml/200510/msg00022.html UNANIMOUS APPROVAL. -. Delegation Right to revoke http://lists.oasis-open.org/archives/xacml/200510/msg00025.html http://wiki.oasis-open.org/xacml/RightToRevoke Now have control over who may issue a policy, but not over who may revoke a policy. Affects use of "historic attributes" (i.e. attribute values at time policy was created rather than at time request is received). Erik has proposed a couple of models: one is "if you could have issued this policy, you can revoke it". Issues: format for revocation; processing model for verifying that revocation is valid. Hal brought up issues of timing, ignorance (not aware of a valid revocation). Another model says issuer can revoke issuer's own policies; Erik says this does not work well with historic attributes. F2F proposed use of either historic attributes or current attributes, but not mixed. WIKI page above has discussion. Request to revoke would reference policy id as the resource, but does not reference the policy's situation. Means need unique ids for policies; Erik resolved by combining issuer with id. Reduction of Deny http://lists.oasis-open.org/archives/xacml/200510/msg00026.html There is an old WIKI plus this new message. Issue: now when access policy says "Deny", it is reduced the same way as "Permit". Admin policies must be "Permit"; too complex to support "Deny" at this level and no good use case. Probably need to make "Effect" part of the situation (general agreement). If someone else has "Permitted", can your "Deny" override that? Or if you have "Denied", can someone else override it with a "Permit"? Ron Williams proposed policy evaluation model might need to specify whether it supports mixed model or not; PDP "meta-policy". Erik says could probably be implemented by using permit-overrides combining algorithm; more complicated if want to allow "Deny" in some cases, but possibly supportable with combining algorithm parameters. APPROVED: include "Effect" in situation in next draft. [ACTION ITEM: Ron Williams] post a couple of simple use cases. Authz discussion (Erik, Frank) http://lists.oasis-open.org/archives/xacml/200511/msg00001.html Summary: how to pass extra attributes and policies (for potential future delegates) to PDP. These are provided in initial request, but will be used during later phases of the reduction. Frank proposes RequestContext include new section for "Entities" (actual name TBD). Matching on delegate attributes should include both Delegate section and any Entity section that includes that delegate's identity. Other option is to have such attributes passed separately from the Request, but serves as a pool for populating Delegate sections later. Neater to reference just Delegate section rather than having PDP check two locations. -. Issues Delegation http://lists.oasis-open.org/archives/xacml/200510/msg00026.html [previously discussed: reduction of deny] Issue #3 http://lists.oasis-open.org/archives/xacml/200510/msg00023.html Daniel's open context syntax proposal. No submission yet. -. General XACML referenced paper http://lists.oasis-open.org/archives/xacml/200511/msg00005.html The meeting adjourned at 10:58. Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]