[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes of XACML TC Meeting, 16 March 2006
Minutes of March 16, 2006 Attendees: Hal Lockhart (Co-chair) Abbie Barbir Erik Rissanen Bill Parducci (Co-chair, minutes) Anne Anderson David Staggs Ron Williams Kamalendu Biswas (new member) Quorum was achieved (51% per Kavi) 1. Approval of minutes from March 2 http://lists.oasis-open.org/archives/xacml/200603/msg00001.html Approved unanimously 2. Attribute Categories http://lists.oasis-open.org/archives/xacml/200603/msg00002.html http://lists.oasis-open.org/archives/xacml/200603/msg00003.html Daniel (author of the proposal) was not on the call. Hal: It is appears Daniel is essentially proposing to push attributes out of XML and into URIs. Anne: Attribute Categories would be identified by a URI, they are no longer fixed element names. Hal: What is the benefit to this approach? Anne: We have already accepted that we need to add Delegate and Indirect Delegate. As long as we have to add two more groups why not generalize the attribute model since there may be more in the future? Erik: Subject, Resource, Action doesn't always fit in the model for many implementations (e.g. Erik uses a dummy payload for Action in his implementation). Hal: If a message itself has to be passed to provide information needed in the policy decision, he currently recommends passing it as an Attribute of the Action. Anne: But if users can identify a new URI that precisely identifies what is being passed, that would be more clear. Hal: Is it just easier to add Categories rather than modify the model? Erik: URI based Categories allow implementers to define new Categories without requiring modifications to the specification. The general consensus is that we should pursue Daniel's model, beginning with the identification of new Categories. Anne had two questions about the proposal concerning specifying "Multiple resource groups" (2.2) and preserving the <Resource> and <ResourceContent> elements (4.1). She will post her questions to the list. 3. Issues #3 Should elements in a policy target and the request context be open? This is Daniel's proposal for Attribute Categories. STATUS: OPEN and active #4 PDP references in policies. A concrete proposal is required. There are two potential use cases where the problem can't be solved by simply passing referenced policies to one PDP: 1) Not all PDPs may be XACML PDPs in a federated authorization model such as Frank's Grid environment, 2) Some PDPs may have private policies that cannot be passed to one central PDP. STATUS: DEFERRED until Administration Policy is completed. #5 Policy statements [and attribute assertions] in the request context Erik will update this issue to rephrase it to refer only to Policy in the Request Context. The issue of whether extra attributes possibly needed for delegates should be passed in the request context is related to #31 and will be moved there. STATUS: OPEN and active. #6 Identity attributes This is a precondition for #31 to work. This will be merged into #31 STATUS: CLOSED. merged with #31. #8 Alternate Owner-Policy-Statement to determine sentinel This has to do with cases where PDP can't have its own privately configured single Trusted Issuer. 1) Related to #4: if there are multiple PDPs, each may have its own Trusted Issuer. 2) Requesters may also want to specify the Trusted Issuer they want the PDP to use. The processing model needs to know when/how to do match. Erik suggested as a possibility that the RequestContext could contain a <TrustedIssuer> that contains a <Delegate> element from policy schema; processing model could say to use that to do the matching. STATUS: OPEN and active. #10 Obligations Draft 10 addresses Obligations by treating all obligations found in policies that are used to reduce an access policy as if they appeared in the access policy. Erik will update this issue to reflect current draft. STATUS: PENDING REVIEW. #23 Access permitted Hal is working on a proposal for this that he hopes to send out soon. STATUS: OPEN and active. Champion: Hal 4. Next meeting Will be on 30 March. Members encouraged to post Admin Policy and Attribute Categories comments by e-mail before then. The meeting on the 30th will continue today's discussion starting with Issue#11.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]