[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Moving ahead with 3.0
Hi Hal, I appreciate what you are saying about the work that has been done, and, in particular, the admin and WS-XACML stuff needs to be moved along rapidly. However, I am concerned after briefly looking over the changes to XACML core, that while I can see the motivation for removing the Subject, Resource, Action, and Environment and replacing them with a generic Attribute, I question the trade-off here between what is a real customer need and what is being done just to "clean-up" the protocol vs the price we will pay for disrupting the interoperability. i.e. if the same functionality is actually available in 2.0, albeit in a less clean manner, I am concerned that the price of "clean-up" is to risk all kinds of negative press about how "unstable" the protocol appears to be. I'd be curious what some of the Burton people would have to say about this. It seems to me, although I haven't gotten to all the details yet, that a lot of what you say is valuable about admin and WS-XACML could be had building as profiles and adjuncts to 2.0. Is there a reason why these core changes are tied to those items? Thanks, Rich Hal Lockhart wrote: 2E22E42D2E71B845B67F093A02B962DBF4459E@repbex01.amer.bea.com" type="cite">During the last call I asked people to identify the issues or new features we intend to complete for version 3.0. I agree than many of your suggestions would be quite valuable additions to the next version of XACML. On the other, I don't think XACML 3.0 should be arbitrarily held up just because people are beginning to implement 2.0. A lot of time and effort has been put into Admin policies for example and that functionality is frequently requested. Also I expect some of the 3.0 work, such as the SAML Profile, WS-XACML profile and the Provisioning Protocol will be useful in conjunction with XACML 2.0. I think the PR aspect of this can be dealt with by careful handling. For one thing it will be legal to support only "3.0 without Admin policies". This should be an easy step for current 2.0 implementations. We should discuss this on the call. Hal-----Original Message----- From: Prateek Mishra [mailto:prateek.mishra@oracle.com] Sent: Wednesday, September 05, 2007 1:25 PM To: Erik Rissanen Cc: XACML TC Subject: Re: [xacml] Moving ahead with 3.0 Colleagues, I would like to voice my concern about this movement towards a 3.0 release. Creating a new version of a standard is a major step and it could easily create confusion in the marketplace and even hinderongoingXACML 2.0 implementation. Its not clear to me why we need this release and to what extent it is based on needs of the industry. Is there adequate implementation, deployment and understanding of XACML 2.0 in the industry and the community? Working collaboratively, the TC managed to pull off a major milestoneinXACML 2.0's development - the interop at Catalyst 2007. The interop document and discussions around it have generated a wealth of open issues and concerns that need to be answered if XACML is to mature and receive substantial implementation. I am deeply concerned that so farwehavent addressed almost any of these issues and concerns. I have separately published a list of issues relevant to enterprises based on a presentation I gave at RSA2007. This presentation waswarmlyreceived and many industry professionals remarked to me that gaps ofthetype I captured were of interest to them. We would be happy to invest effort in capturing all of these issues. Rich Levinson and I will commit to publishing a draft in the next month. I hope we will be able to engage around these issues within the TC and respond to these requirements that have been derived from real deployments and scenarios. Thanks, prateek mishraAll, I would like to finish XACML 3.0. :-) So, what do we still have to do? There is the issues list of course. More on that below. I need to update the docs to the new OASIS templates as well. But besidesthat,what more is there to do? The delegation draft lacks a conformance section. I can make one.Thecore has one already since the doc is really just an updated 2.0doc.Have there been any changes to the requirements on the conformance requirements section from the side of OASIS? It might be a good idea if someone who is a native English speaker proofreads the docs, but we can wait with that until the end. The profiles also need to be updated, but I suspect that it ismostlyjust updating to the new schema. Below you can find the the issues list with some proposals. Could we discuss the issues at the next meeting? I also propose that we move any post 3.0 issues to a separate wiki page so we can focus on wrapping up 3.0. Issue 12, more general conclusions: Bill and I posted a workingdraftabout generalized obligations. We have not received much feedback on this. I propose that we defer this to post 3.0. Related to this is the issue about the timing attribute for obligations which was proposed by David Chadwick. I put this as a feature in the obligation draft. If we defer the obligation draft,dowe want to include the timing attribute in the 3.0 core? In myopinionthis depends on what we expect will happen with the obligation work. My preference is that we after 3.0 core is done quickly complete the obligation work, in which case the timing should go there, not inthecore now. But if the obligation profile will never happen, then we should include the timing attribute in the core now. Issue 23, access permitted: This is waiting for Hal to update the proposal to the new core schema. Also, there are concerns about how this could affect the complexity of evaluation. Hal, what is youtakeon this? Issue 36, PDP metadata: I suggest that we wait with this issue until last in the 3.0 work and see what meta date we need. Issue 62, policy provisioning interface. I think this is post 3.0.Itdoesn't affect the core directly and this work is very early yet. Issue 63 is just waiting for me to update the docs. Will do soon. :) Issue 66, missing attributes may be underspecified. I propose thatwedefer this to post 3.0. It is early work and might be better suited for a profile for a PDP <-> PEP protocol. Issue 67, XPath 2.0. There is a proposal in the docs, but someonewhoknows xpath better than me needs to review it. If no one wants to review it, I propose that we go with as it is and make errata laterifneeded. :-) Issue 71, different categories as different entities: I propose that we defer this post 3.0. It is a major change from XACML 2.0 andthereis no concrete proposal. I am also concerned with computational complexity since this is related to the complexity issue we got with distinct indirect delegates. Issue 72, placement of supplied policies is open needs to be donefor3.0. I will think up a proposal. Issue 73, start of administrative requests in nested policy sets. I think we don't need to change anything as things are now, but I will think more about it. I will write an explanation of whatever resultIreach. Issue 75, PEP <-> PDP interface. Defer this to a post 3.0 profile. Issue 76, multiple conditions. I'm not sure about this one. Seemslikepartly a duplicate of issue 71. I also wonder whether it is not possible to implement the xpath part of this issue using cleverxpathsand bag functions in the policy. Issues 82, 83 and 85 seem straightforward to fix. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]