OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Moving ahead with 3.0


I would like to voice my concern about this movement towards a 3.0 
release. Creating a new version of a standard is a major step and it 
could easily create confusion in the marketplace and even hinder ongoing 
XACML 2.0 implementation.

Its not clear to me why we need this release and to what extent it is 
based on needs of the industry. Is there adequate implementation, 
deployment and understanding of XACML 2.0  in the industry and the 

Working collaboratively, the TC managed to pull off a major milestone in 
XACML 2.0's development - the interop at Catalyst 2007. The interop 
document and discussions around it have generated a wealth of open 
issues and concerns that need to be answered if XACML is to mature and 
receive substantial implementation. I am deeply concerned that so far we 
havent addressed almost any of these issues and concerns.

I have separately published a list of issues relevant to enterprises 
based on a presentation I gave at RSA2007. This presentation was warmly 
received and many industry professionals remarked to me that gaps of the 
type I captured were of interest to them.

We would be happy to invest effort in capturing all of these issues.  
Rich  Levinson and I will commit to publishing a draft in the next 
month. I hope we will be able to engage around these issues within the 
TC and respond to these requirements that have been derived from real 
deployments and scenarios.


prateek mishra

> All,
> I would like to finish XACML 3.0. :-)
> So, what do we still have to do?
> There is the issues list of course. More on that below. I need to 
> update the docs to the new OASIS templates as well. But besides that, 
> what more is there to do?
> The delegation draft lacks a conformance section. I can make one. The 
> core has one already since the doc is really just an updated 2.0 doc. 
> Have there been any changes to the requirements on the conformance 
> requirements section from the side of OASIS?
> It might be a good idea if someone who is a native English speaker 
> proofreads the docs, but we can wait with that until the end.
> The profiles also need to be updated, but I suspect that it is mostly 
> just updating to the new schema.
> Below you can find the the issues list with some proposals. Could we 
> discuss the issues at the next meeting? I also propose that we move 
> any post 3.0 issues to a separate wiki page so we can focus on 
> wrapping up 3.0.
> Issue 12, more general conclusions: Bill and I posted a working draft 
> about generalized obligations. We have not received much feedback on 
> this. I propose that we defer this to post 3.0.
> Related to this is the issue about the timing attribute for 
> obligations which was proposed by David Chadwick. I put this as a 
> feature in the obligation draft. If we defer the obligation draft, do 
> we want to include the timing attribute in the 3.0 core? In my opinion 
> this depends on what we expect will happen with the obligation work. 
> My preference is that we after 3.0 core is done quickly complete the 
> obligation work, in which case the timing should go there, not in the 
> core now. But if the obligation profile will never happen, then we 
> should include the timing attribute in the core now.
> Issue 23, access permitted: This is waiting for Hal to update the 
> proposal to the new core schema. Also, there are concerns about how 
> this could affect the complexity of evaluation. Hal, what is you take 
> on this?
> Issue 36, PDP metadata: I suggest that we wait with this issue until 
> last in the 3.0 work and see what meta date we need.
> Issue 62, policy provisioning interface. I think this is post 3.0. It 
> doesn't affect the core directly and this work is very early yet.
> Issue 63 is just waiting for me to update the docs. Will do soon. :)
> Issue 66, missing attributes may be underspecified. I propose that we 
> defer this to post 3.0. It is early work and might be better suited 
> for a profile for a PDP <-> PEP protocol.
> Issue 67, XPath 2.0. There is a proposal in the docs, but someone who 
> knows xpath better than me needs to review it. If no one wants to 
> review it, I propose that we go with as it is and make errata later if 
> needed. :-)
> Issue 71, different categories as different entities: I propose that 
> we defer this post 3.0. It is a major change from XACML 2.0 and there 
> is no concrete proposal. I am also concerned with computational 
> complexity since this is related to the complexity issue we got with 
> distinct indirect delegates.
> Issue 72, placement of supplied policies is open needs to be done for 
> 3.0. I will think up a proposal.
> Issue 73, start of administrative requests in nested policy sets. I 
> think we don't need to change anything as things are now, but I will 
> think more about it. I will write an explanation of whatever result I 
> reach.
> Issue 75, PEP <-> PDP interface. Defer this to a post 3.0 profile.
> Issue 76, multiple conditions. I'm not sure about this one. Seems like 
> partly a duplicate of issue 71. I also wonder whether it is not 
> possible to implement the xpath part of this issue using clever xpaths 
> and bag functions in the policy.
> Issues 82, 83 and 85 seem straightforward to fix.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]