Minutes of XACML TC Meeting - April 13, 2006

[Bill Parducci <bill.parducci@simulalabs.com>]

Minutes of April 13, 2006

Attendees:
  Daniel Engovatov
  Hal Lockhart (Co-chair)
  Michiharu Kudo
  Ron Williams
  Argyn Kuketayev
  Abbie Barbir
  Kamalendu Biswas
  Erik Rissanen
  Bill Parducci (Co-chair, minutes)
  Anne Anderson (minutes)
  Seth Proctor
  David Staggs

Quorum was achieved (83% per Kavi)

1. Approval of minutes from March 30
    http://lists.oasis-open.org/archives/xacml/200603/msg00001.html

    Approved unanimously

2. SAML Profile Updated
    Anne reported that the update incorporates all errata reported
    against our XACML 2.0 standard profile. Among other things Advice has
    also been added to allow Policies to be passed as an Advice in an
    Assertion. Anne will post details to the list.

3. ITU-T update
    Abbie introduced an updated submission to ITU-T based on input from
    Anne.

    XACML 2.0 references a specific working draft of the W3C XQuery
    and XPath Functions and Operators spec for two DataTypes, the
    functions related to them, constructor functions for all XML
    Schema primitive DataTypes, and for the definition of Regular
    Expressions.  ITU does not allow references to things that are
    not yet approved standards.  Solution was to include the text
    of the referenced sections of the XQuery and XPath draft
    directly into the ITU version of the XACML specification in
    paraphrased form to avoid copyright issues.

    Daniel reported there was a meeting of the W3C XQuery and XSLT/XPath
    WG at Oracle last week.  They plan to move the datatypes
    defined in XQuery into the XML Schema.  Next meeting in June;
    Committee Recommendation by Aug.  XACML TC can't use their
    changes now, since still not approved standard, but should sync
    up at some point for XACML 3.0.

4. Issues

   #11 CLOSED. already supported.

   #12 This is being addressed by the work on Obligations. Bill &
       Michiharu are pursuing this.

   #13 Hal has concerns about the transitive implications of this. Anne
       and Erik offered that this may be resolvable. Erik is interested
       in this topic looking to work on this Issue but does not have a
       time line. Hal requested more explicit use cases so can narrow
       this down. OPEN

   #14 "What do I do?": "What if" scenario where more general conclusions
       (#12) are supported.  e.g. I'm trying to access Server A, result
       is "redirect to Server B".  I.e. can be handled with Obligations
       and XACML's existing "what if". CLOSED.  Re-open if it comes up
       again.

   #18 Split out the sub-issue: "When are attributes chosen (evaluated)?
       At time of issuance or at policy evaluation?"  Added as Issue #35.

       The remainder of the Issue is currently addressed in the latest
       draft (no differentiation). consensus is "no distinction among
       delegates in conditions on delegates".  Problem exists in
       specifying the functions on delegates because it requires bags of
       bags (each delegate needs its own bag of attributes, they can't be
       mixed). Now you specify a condition and it must apply individually
       to each and all indirect delegates. CLOSED.

   #22 Right to revoke: We now have conditions on right to issue a
       policy, but none on right to revoke a policy.  There are many
       types of revocation.  Currently the administrator (someone who
       satisfies a delegate condition in a "supporting" policy) can
       remove any policy (good for historic attribute support).  A
       policy that arrives with a request is used to evaluate only
       that request and is then automatically revoked.  PRP="Policy
       Revocation Point".  Bill suggested that this is an
       implementation issue. OPEN.

   #23 Access Permitted: Hal has written a proposed function. OPEN

   #25 ACTION: Erik will revisit the text to make this easier to read.

   The next meeting will begin back on Issue #26.

meeting adjourned.