[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes 1 February XACML TC Meeting
I Roll Call & Minutes Attendees Hal Lockhart (Co-chair) Bill Parducci (Co-chair, minutes) Anthony Nadalin Argyn Kuketayev Abbie Barbir Rich Levinson Prateek Mishra Erik Rissanen Anne Anderson Seth Proctor David Staggs Quorum was achieved (76% per Kavi) VOTE: Unanimous APPROVAL of minutes from 18 January 2007 II Administrivia F2F locations BEA offers to host in Burlington Tony is still checking availability in Austin Inter-op Oracle and Securent have voiced interest in participating in the Interop in June along with IBM. Hal believes BEA will also participate. Hal will will send out an email to interested parties to begin the logistics process. The process requires an Inter-op Coordinator. A request for a volunteer has been made. General Rich noticed an anomaly between the XACML 1.1 and XACML 2.0 specifications. There is a resource:xpath AttributeId referenced in the Section 4.2.4 Rules examples in XACML 2.0, but this AttributeId is defined only in XACML 1.0. It is generally agreed that this is errata and should be added back into XACML 2.0. The definition from XACML 1.0 is: "This identifier indicates that the resource is specified by an XPath expression. urn:oasis:names:tc:xacml:1.0:resource:xpath" Rich also asked about the state of the Obligations work referenced earlier in the v3.0 process. Bill explained that he and Erik have been working to come up with a common understanding and intend to post the results of this discussion to the wiki. Anne offered to post an overview of how Obligations/obligations are handled currently in the XACML Profile for Web Services. III Issues # 55 WS-XACML: Address policy references in a Requirements element containing a PolicySet ACTION ITEM: Anne to explain the problem and present a draft solution to the list based on Option 3: Add an element for including referenced policies and require that all referenced policies must be included in this element. Seth pointed out that policies included need to be tagged with the identifier by which they are referenced. # 56 WS-XACML: Add optional "Preference" XML attribute to Apply element Where more than one Attribute value can satisfy an Apply element, Anne proposed that an optional element be added to the Apply element to indicate whether "greater" values (larger integer, later time, end of ordered set) or "lesser" (earlier time, beginning of ordered set) values are preferred. APPROVED # 57 WS-XACML: Restrictions on XPath expression to support matching Attribute references Anne proposed a restricted form of XPath expression that uses absolute paths and didn't contain any query operators to allow for correct intersections of AttributeSelectors. Anne has researched the problem and is looking for additional insight into the restrictiveness of this approach. Hal pointed out that we are not the only ones with this problem ACTION: TC members are encouraged to investigate. Anne will contact the authors of a paper on the intersection of XPath expressions to see if they have insights. # 59 WS-XACML: Allow restricted regular expression functions in XACMLAssertion The group felt supporting regular expressions was useful, and so use of intersectable regular expressions should be supported. ACTION: Anne and Bill to dig up the specification of basic (intersectable) regex expressions and Anne to draft specific proposal for the list. #60 WS-XACML: Remove "XACML Authorization Token" and "Conveying XACML Attributes in a SOAP Message"? Anne proposed moving these two sections of the WS-XACML profile to the SAML Profile, leaving only the XACMLAssertion sections. APPROVED: move these two sections to the SAML Profile. #52-53 Indirect delegates issues Erik proposed dropping indirect delegates from the specification, pointing out that in a strict sense an administrative policy can't prevent someone else from doing a restricted action on behalf of an undesired indirect delegate. APPROVED: drop indirect delegates from the standard. # 63 Generalizaton of multiple resources STATUS: everyone look at this issue and discuss on list. # 64 Treatment of administrative Deny Proposal is that if an admin request evaluates to Deny on a policy, the policy will be ignored. STATUS: everyone look at and discuss on the list. # NEW: Deny-Overrides: http://lists.oasis-open.org/archives/xacml/200701/msg00020.html STATUS: Erik to submit statement of a proposed new combining algorithm. Discuss on list. meeting adjourned.