[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes of 27 April 2006 XACML TC Meeting
Minutes of XACML TC Meeting 27 April 2006 Attendees: Daniel Engovatov Hal Lockhart (chair) Michiharu Kudo Ron Williams Argyn Kuketayev Abbie Barbir Kamalendu Biswas Erik Rissanen Anne Anderson (minutes) Time: 10:00 AM EDT Tel: 512-225-3050 Access Code: 65998 1. Roll Call and Agenda Review Quorum was achieved. 2. Vote on approval of updated minutes from April 13 http://lists.oasis-open.org/archives/xacml/200604/msg00018.html APPROVED UNANIMOUSLY. 3. SAML Profile update status http://lists.oasis-open.org/archives/xacml/200604/msg00002.html Received comments from Scott Cantor. Waiting for comments from Eve Maler. 4. Select date for reviewing Daniel's categories proposal http://lists.oasis-open.org/archives/xacml/200603/msg00002.html Will review at 11 May 2006 meeting. 5. Hosting a policy repository http://lists.oasis-open.org/archives/xacml/200604/msg00014.html Comment that many companies will not want to contribute their policies; Hal commented a simple global replace would probably "clean up" any sensitive issues. Create new category on TC Home Page for "sample policies". APPROVED UNANIMOUSLY. ACTION: Anne to propose format for simple storage maintenance. 6. Draft XACML 2.0 Errata Document http://lists.oasis-open.org/archives/xacml/200604/msg00006.html Current version is a Working Draft. At 11 May 2006 meeting, review and possibly approve as CD, which requires majority of voting members. 7. OASIS Symposium 2 weeks from today is the OASIS Symposium; Hal will be there, but will call in for the meeting. Hal will do the "Lightning round", reporting brief status for XACML. 8. Permit-override Policy Combining Algorithm Anne posted question about the "Permit-override" Policy Combining Algorithm, which returns "Deny" in the case where all policies return either Deny or Indeterminate. Anne suggested that it should return "Indeterminate", because one of the Indeterminate policies might have returned Permit had the error not occurred. To be discussed further. [Note: we probably don't want to change the existing algorithm, since it has been implemented and used with the specified semantics associated with the existing algorithm identifier. Issue is whether we want to define a new Policy Combining Algorithm identifier with the different semantics. -Anne] 9. Issue Review http://wiki.oasis-open.org/xacml/IssuesList #26: Reduction of Deny STATUS: change to "PENDING REVIEW" #27: Issuer of the PDP policy set Should the PDP's "trusted issuer" (i.e. issuer of the PDP's top-level PolicySet) be included in the Response Context, especially for case of PDP references. The "Issuer" field of the PDP's top-level PolicySet is never used in the described reduction algorithms. "Trusted issuer" is in some ways a logical alias for the master policy creator. STATUS: OPEN. Further discussion on use cases. #31: Passing arbitrary sets of Attributes in the request (for use with subsequent potential delegates). Erik thinks it would just make the request and its evaluation more complex; would need a way to refer to these "potential attributes". Are the Attributes "invisible" until the associated delegate appears in the reduction? Erik proposes passing such Attributes would be outside the core specification. Implementation-specific Context Handler is responsible for making these available when appropriate. Erik thinks these should be added to the SAML Profile. Alternative would be putting them in the XACML Request. Profile would provide way to pass Attributes in XACML Attribute format, so they don't have to be converted back to SAML Attributes. Profile will also need an ID element structure so Context Handler can tell which identity various Attributes are associated with. STATUS: Agreement in principle. ACTION: Erik will produce text for the proposal. #32: Exception handling STATUS: DEFERRED. Until reduction process firmed up. #33: How to match any delegate STATUS: DEFERRED. Until Daniel's categories proposal has been approved. #34: Circular import STATUS: DEFERRED. Until Daniel's categories proposal has been approved. #35: Attribute timing Current draft says a PDP can be configured to evaluate at time of issuance or at time of evaluation. STATUS: PENDING REVIEW. #36: PDP advertisement of its metapolicy Top-level combining algorithm; choice for attribute timing. STATUS: OPEN 10. General Business Next meeting will be 11 May 2006. Put discussion of a date for the next F2F on the agenda. 11. Adjourned at 11:03am EDT. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]