xacml message

Subject: Minutes of 20 July 2006 TC Meeting
From: Anne Anderson <Anne.Anderson@sun.com>
To: OASIS XACML TC <xacml@lists.oasis-open.org>
Date: Thu, 20 Jul 2006 11:24:28 -0400
Minutes of the OASIS XACML Technical Committee Meeting
20 July 2006

Voting Member Attendees:
  Anne Anderson
  Hal Lockhart
  Daniel Engovatov
  Tony Nadalin
  Argyn Kuketayev
  Kamelendu Biswas
  Erik Rissanen
  Seth Proctor
  David Staggs

Observer
  Greg Desmarais (Sigaba)

1. Roll Call and Agenda Review

    Quorum was achieved

2. Vote on approval of minutes from 22 June 2006 meeting
    http://lists.oasis-open.org/archives/xacml/200606/msg00024.html

    Approved unanimously.

3. Revision of XACML 2.0 core errata

    1) uri-string-concatenate (in current draft)
    2) replacement of non-standard normative references (in current draft)
    3) Omission of "Deny" case in Permit-Overrides PolicyCombiningAlg
       http://lists.oasis-open.org/archives/xacml/200607/msg00003.html
    4) Add OASIS Copyright notice to XACML schema files
       http://lists.oasis-open.org/archives/xacml/200607/msg00001.html

    Approved unanimously.

4. Registration of XACML with ET.gov
    http://lists.oasis-open.org/archives/xacml/200606/msg00031.html

    Add address to OASIS Office.  Change contact to OASIS.

    AI: Hal will figure out what address and contact to use.

    Approved unanimously with address and contact changes.

5. Issues list
    http://wiki.oasis-open.org/xacml/IssuesList

    3. Should elements in a policy target and the request context be open?
       Daniel's Target proposal: status

       Daniel's proposal depends on resolution of #40.

   40. Change ResourceContent
       http://lists.oasis-open.org/archives/xacml/200607/msg00005.html

       Daniel proposes an optional URI with AttributeSelector,
       resolved in implementation-specific way.  One problem is
       multiple documents.

       Anne suggested perhaps just using Attributes that contain
       the contents of the document.

       Seth noted that ResourceContent is useful when the
       ContextHandler doesn't have access to the location of the
       actual document instance.

       Seth suggested existing Request containing categorized
       Attributes, plus optional sequence of XML content
       documents.  Content element tag could contain XML attribute
       that has a URI that is the unique identifier of the
       document.

       General agreement on the last suggestion.

       AI: Daniel will issue a revised proposal this week.

       AI: Anne will send e-mail about turning the Kavi
       member-only URL into a publicly available URL.

   5.  Policy statements in request context (Anne)
       http://lists.oasis-open.org/archives/xacml/200606/msg00022.html
       http://lists.oasis-open.org/archives/xacml/200606/msg00023.html
       Note:in a separate bucket in XACMLAuthzDecisionQuery in
       SAML Profile Version 2 draft.

       Hal suggested this is appropriate, since the SAML Profile
       is a particular protocol for passing information used in an
       evaluation.  He also thinks #31 can be handled the same
       way.

       General approval for this in the SAML Profile Version 2.

       AI: Anne to draft proposal for describing semantics of such
       policies in the core.

   10. Obligations (PENDING REVIEW)

       How does reduction deal with obligations.  All obligations
       from access and admin policies will be collected.

       Approved.  Change status to CLOSED.

   26. Reduction of deny (PENDING REVIEW)

       Current Proposal: Admin policies that evaluate to Deny are
       dropped.

       Approved.  Change status to CLOSED.

   31. Passing arbitrary sets of Attributes in the request (Frank)

       AI: Erik will draft syntax and text for SAML Profile, and
       semantic description for core.

   35. Attribute timing (PENDING REVIEW)

       Do you use Attribute values from time policy was created or
       modified or from time policy is evaluated?

       Current Proposal: PDPs can operate in either mode.
       Implementation dependent.  #36 may provide way for a PDP to
       advertise its mode.

       AI: Anne issue proposal to let policy state whether it must
       be evaluated with historic or current attribute values;
       would evaluate to Indeterminate if PDP is unable to supply
       the required values.

       Approved.  Change status to CLOSED.

6. Wrap up

    Next call will be August 3.  Hal will be absent, attending TAG
    meeting.

Respectfully submitted,
Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692