OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: minutes 15 January 2009 TC meeting


Date: 15-Jan-09
Time: 10:00 am ET
Tel: 512-225-3050 Access Code: 65998

Agenda:

10:00 - 10:05 Roll Call & Approve Minutes

   (Note: while we are on weekly schedule, Bill and Rich are
    doing alternate weeks of mtg proposal and minutes.)

Roll Call:

Voting Members

Erik Rissanen  	Axiomatics AB
Bill Parducci 	Individual
Rich Levinson 	Oracle Corporation
Hal Lockhart 	Oracle Corporation
Anil Saldhana 	Red Hat
Seth Proctor 	Sun Microsystems

Members

Darran Rolls 	SailPoint Technologies
John Tolbert 	The Boeing Company	

	6/9 voting: have quorum

Approve Minutes:

  8 January 2009 TC Meeting Minutes - Update #2:
   http://lists.oasis-open.org/archives/xacml/200901/msg00030.html

10:05 - 10:10 Administrivia
  Jira/Subversion update
   http://lists.oasis-open.org/archives/xacml/200901/msg00008.html

	TC can only have single jira project, they suggest profiles
	be "tasks" so we have to update "everything".

	Bill proposes we continue working the way we have been, 
	i.e not use Jira.

	Erik: maybe just use it for core.

	Hal: that would be confusing w multiple places to look for
	issues.

	Not clear why Jira is being managed as only one project 
	per TC, but that appears to be unworkable for us right now.

  Public Review of XSPA Profile of XACML v2.0 for Healthcare v1.0
  60 day review cycle begins:
   http://lists.oasis-open.org/archives/xacml/200901/msg00013.html

	The "related files" ref'd in the email have pointers to them
	in the references section of the document.


10:10 - 11:00 Issues

 Issues within TC:

  Advice Obligation Type (Erik updated proposal based on last week's
  discussion, there were also follow-up emails to this email):
   http://lists.oasis-open.org/archives/xacml/200901/msg00017.html

	Main issue: do we want 2 options. Erik withdrew proposal.
	Consider other ways to solve use case.
   http://lists.oasis-open.org/archives/xacml/200901/msg00034.html

  Multi-Decision Profile Proposal (also may address all or part
  of "Subject Inconsistencies" from last week):
   http://lists.oasis-open.org/archives/xacml/200901/msg00015.html
  and follow-up emails.

	"Multi-decision": current suggestion Hal's scheme <Attributes>
	 level items get xml:id attrs, preceded by list of sets of 
	 items that are combined into virtual request context. These 
	 lists could have multiples of same category interpreted as
	 cross product.

	Hole in scheme: each list produces single decision. Cross
	product requires multiple responses.

	Hal will do revised scheme. Any attribute in 2.0 can be marked
	for return, and then used for correlation.

	Erik in 3.0 can say what attr values you want back.
	in 2.0 in result can set ResourceId and that's all.

	Hal: in 3.0 "IncludeInResult"

	Rich: Possibly a CorrelationId attribute in the Attributes
	element would be more useful, since results are based on
	combos of Attributes elements, not the child Attribute
	elements. Also, could result in adding extraneous attrs to
	the Attributes collection just for purpose of correlation.

  Policy Combining (additional review was in progress):
   http://lists.oasis-open.org/archives/xacml/200901/msg00016.html

	Tony was to get back w their analysis


  Returning a Request Context in the Decision Request Protocol
   http://lists.oasis-open.org/archives/xacml/200901/msg00014.html

	Use cases: Erik asked to clarify the feature: the main
	issue appears to be what, in addition to original submitted
	request may be returned - i.e. additional attrs obtained by
	PDP from other contexts may not be ok to return to PEP.

  Possible problems w hierarchical profile:
   http://lists.oasis-open.org/archives/xacml/200901/msg00031.html

	Rich: main issue is that "hierarchy" is ambiguously defined.
	Thinks that hierarchy should mean one parent, one root. In
	general, multiple "hierarchies" can be brought to bear on
	given decision, and a given node can belong to multiple
	hierarchies, and the hierarchies may span different collections
	of resources and/or have partial/complete spanning of one set
	of resources, but each "hierarchy" should be one parent 
	one root.
 
	DAG can map one to another and allows multiple parents.
 
	(Rich: but that's a "DAG" not a hierarchy, this is not
	 the DAG profile of XACML.)

	URL hierarchy and file hierarchy

	Hal, Seth: it was used to emulate some policy models that
	 used hierarchical scheme and some still had constructs
	 non-representable.

	Seth thinks it should be cleaned up. But is it worth it.

	Anil: agree hier profile w seth. Is it used or not?

	Seth: largely unused.

	Allows policies to make references to hierarchical entities
	without knowing who related to who.

	Hal: profile just had "usable amount of stuff".

	Rich: scope in multi-profile vs parent/ancestor in hier
	 will come up w suggestion for how to address.

	Erik sent helpful memo just prior to discussion, but it was
	not read in time for discussion:
	 http://lists.oasis-open.org/archives/xacml/200901/msg00037.html

Meeting adjourned - remaining issues next time:

 Issues from xacml-comments and xacml-users lists:

  What are rules, if any, for schema-validating Requests and PolicySets
   prior to delivery to the PDP. If some do, some don't then what does
   this do to interoperability and overall security concerns:
    http://lists.oasis-open.org/archives/xacml-users/200901/msg00023.html

  XSPA Profile has some inaccessible links:
   http://lists.oasis-open.org/archives/xacml-comment/200901/msg00000.html





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]