Minutes of 27 April 2006 XACML TC Meeting

[Anne Anderson <Anne.Anderson@sun.com>]

Minutes of XACML TC Meeting
27 April 2006

Attendees:
   Daniel Engovatov
   Hal Lockhart (chair)
   Michiharu Kudo
   Ron Williams
   Argyn Kuketayev
   Abbie Barbir
   Kamalendu Biswas
   Erik Rissanen
   Anne Anderson (minutes)

Time: 10:00 AM EDT
Tel: 512-225-3050 Access Code: 65998

1. Roll Call and Agenda Review

    Quorum was achieved.

2. Vote on approval of updated minutes from April 13
     http://lists.oasis-open.org/archives/xacml/200604/msg00018.html

     APPROVED UNANIMOUSLY.

3. SAML Profile update status
     http://lists.oasis-open.org/archives/xacml/200604/msg00002.html

     Received comments from Scott Cantor.  Waiting for comments
     from Eve Maler.

4. Select date for reviewing Daniel's categories proposal
     http://lists.oasis-open.org/archives/xacml/200603/msg00002.html

     Will review at 11 May 2006 meeting.

5. Hosting a policy repository
     http://lists.oasis-open.org/archives/xacml/200604/msg00014.html

     Comment that many companies will not want to contribute their
     policies; Hal commented a simple global replace would
     probably "clean up" any sensitive issues.  Create new
     category on TC Home Page for "sample policies".

     APPROVED UNANIMOUSLY.

     ACTION: Anne to propose format for simple storage
     maintenance.

6. Draft XACML 2.0 Errata Document
     http://lists.oasis-open.org/archives/xacml/200604/msg00006.html

     Current version is a Working Draft.  At 11 May 2006 meeting,
     review and possibly approve as CD, which requires majority of
     voting members.

7. OASIS Symposium
     2 weeks from today is the OASIS Symposium; Hal will be there,
     but will call in for the meeting.  Hal will do the "Lightning
     round", reporting brief status for XACML.

8. Permit-override Policy Combining Algorithm

     Anne posted question about the "Permit-override" Policy
     Combining Algorithm, which returns "Deny" in the case where
     all policies return either Deny or Indeterminate.  Anne
     suggested that it should return "Indeterminate", because one
     of the Indeterminate policies might have returned Permit had
     the error not occurred.

     To be discussed further. [Note: we probably don't want to
     change the existing algorithm, since it has been implemented
     and used with the specified semantics associated with the
     existing algorithm identifier.  Issue is whether we want to
     define a new Policy Combining Algorithm identifier with the
     different semantics. -Anne]

9. Issue Review
     http://wiki.oasis-open.org/xacml/IssuesList

     #26: Reduction of Deny

          STATUS: change to "PENDING REVIEW"

     #27: Issuer of the PDP policy set
          Should the PDP's "trusted issuer" (i.e. issuer of the
          PDP's top-level PolicySet) be included in the Response
          Context, especially for case of PDP references.  The
          "Issuer" field of the PDP's top-level PolicySet is never
          used in the described reduction algorithms.  "Trusted
          issuer" is in some ways a logical alias for the master
          policy creator.

          STATUS: OPEN.  Further discussion on use cases.

     #31: Passing arbitrary sets of Attributes in the request
          (for use with subsequent potential delegates).  Erik
          thinks it would just make the request and its evaluation
          more complex; would need a way to refer to these
          "potential attributes".  Are the Attributes "invisible"
          until the associated delegate appears in the reduction?
          Erik proposes passing such Attributes would be outside
          the core specification.  Implementation-specific Context
          Handler is responsible for making these available when
          appropriate.  Erik thinks these should be added to the
          SAML Profile.  Alternative would be putting them in the
          XACML Request.  Profile would provide way to pass
          Attributes in XACML Attribute format, so they don't have
          to be converted back to SAML Attributes.  Profile will
          also need an ID element structure so Context Handler can
          tell which identity various Attributes are associated
          with.

          STATUS: Agreement in principle.

          ACTION: Erik will produce text for the proposal.

     #32: Exception handling

          STATUS: DEFERRED.  Until reduction process firmed up.

     #33: How to match any delegate

          STATUS: DEFERRED.  Until Daniel's categories proposal has
          been approved.

     #34: Circular import

          STATUS: DEFERRED.  Until Daniel's categories proposal has
          been approved.

     #35: Attribute timing
          Current draft says a PDP can be
          configured to evaluate at time of issuance or at time of
          evaluation.

          STATUS: PENDING REVIEW.

     #36: PDP advertisement of its metapolicy
          Top-level combining algorithm; choice for attribute
          timing.

          STATUS: OPEN

10. General Business

     Next meeting will be 11 May 2006.  Put discussion of a date
     for the next F2F on the agenda.

11. Adjourned at 11:03am EDT.

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692