OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes of XACML TC mtg: 3-Jul-08

Minutes of XACML TC mtg: 3-Jul-08:

Time: 10:00 am EDT
Tel: 512-225-3050 Access Code: 65998


Voting Members

Erik Rissanen  	Axiomatics AB
Anthony Nadalin 	IBM
Rich Levinson 	Oracle Corporation
Hal Lockhart 	Oracle Corporation
Anil Saldhana 	Red Hat
Seth Proctor 	Sun Microsystems
David Staggs 	Veterans Health Administration


Duane DeCouteau 	Veterans Health Administration


Dee Schur 		OASIS


	Next call in 2 weeks Jul 19. 
	Hal will probably not be able to chair. 
	 Hopefully, Bill can handle.

Agenda: ("Minutes" after each agenda item)

10:00 - 10:05 Roll Call & Minutes Approval
   Vote on Minutes from 19 June TC Meeting

	Minutes approved.

10:05 - 10:10 Administrivia

   XACML Interop Update (London: Oct 2008)

     Dee:  go to forum page: xacml listed Wed PM.
	Cost is $500/participant company 
	 (we get to be in main castle room)
	Need commitments
	  Erik in
	  Tony - depends, for now, we're
	  Anil (red hat) in
	  David (VA) not present
	  Rich - probably not in
	  Dee says Sampo is probably in

	Duane will participate in mtgs and fill in details

   SVN Status - Waiting for word from Jamie

	Legal issues on source control, still waiting
	 for details
	Std boiler plate - issue by Deviant people if they
	 can use pieces of schemas etc.

   OGF document released for public comment: "Use of XACML RequestContext..."  

	Robin Cover distributed - geo space people want to stdize
	 around req/rsp protocol

   A dynamic revocation model for XACML

	Attributes of delegate when issued policy, if interested
	 read paper - whether current admin can revoke policies
	 created by previous admin.
	Relies on attributes saved and signatures and is "somewhat
	 heavy to implement"

10:10 - 11:00 Issues
   Issues #71 and #76 (multi-categories)

	Supporting multiple intermediaries, codebases. Hal now
	 agrees w Erik, don't want to add new functionality
	 for this.

   WS-XACML Review

	Hal: potentially a solution to reqt how do you know
	 what attr should be provided to PDP. Vocab could
	 be gleaned from policies, create an xml document
	 and say that is vocabulary, etc.

	Erik: think it's fine, raises reasonable things, if there
	 is a demand from users should consider moving it forward.
	Hal: if going to req from pdp, what attr to provide.

	Erik: also contains privacy policy, how enforced.

	Hal: philosophy same as obligations

	Erik: Anne sent ref to paper that describes protocol
	 setting to enforce - is concerned whether possible to
	 enforce at all.

	Hal: privacy work was with some academic people, but can
	 also be used for other purposes than privacy. As much
	 as possible leveraging machinery that already exists
	 access to pdp engines that already contain parsing

	Erik: xpath concern in there, WS-Policy dropped ignorable.
	 Anne had restriction on xpath that there would always
	 be unique - does not think it is sufficient, because can
	 use different namespaces to get around.

	Hal: still hopeful Daniel can get back in.

   Passing parameters to the attribute designator

	From Anil Tappetla: Erik been considering, understands
	 need for parameters, but no sure policy is right place
	 for it. Any semantics? Need to provide a use case to
	 better understand the issue. 

	Hal: maybe part of vocabulary, what is syntax of attrs
	 that policy can be found and how do you find them.
	Erik: without more info would be inclined to say no.

   Security considerations for the access-permitted function

	Erik: in general fcn may not terminate. Limit on depth
	 is a problem. Propose a limit either in std or impl
	 based in metadata.

	Hal: this might be useful in metadata.

	Hal: attacker could send poison policy to mess up system.

   Issue 88, general xpath functions again

	Either general library or specific subset. xpath contains
	 data types that do not fit xacml in any way.
	Craig/Erik: propose we make up specific fcns and refer to
	 xpath and not plug into full xpath.
	Hal: purpose is manipulating request context.
	Erik: this is our identifier and the functions does same
	 thing as the xpath spec.
	Erik: we defined general import, but not a good idea, then
	 imported subset and found problems there. Now suggesting
	 we just have identifiers that have limited interpretation
	 but are equivalent to selected xpath specifics

   Issue 89, Adding a description element

	Either add to expression type or to apply. If you add to
	 apply will be more generally pervasive.

   A problem in the multiple resource profile

	Erik: in the policy can specify xpath version. Mult res prof
	 req does not have similar identification of version.
	 Add an element for 3.0

   The duration data types

	Looks like oversight. However, if we add it then some of 
	 fcns there become redundant.
	Hal: intro new ones and give warning redundant will be
	 removed in future. Sometimes convenient to keep around.
	Erik: adding date/time and year/month not the same.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]