Minutes 19 February 2009 TC meeting

["Rich.Levinson" <rich.levinson@oracle.com>]

Time: 10:00 am EDT
Tel: 512-225-3050 Access Code: 65998

Proposed Agenda for 19-Feb-09 TC Meeting:

10:00 - 10:05 Roll Call

Anil Tappetla regained voting status at end of prev mtg.

Voting Members

Erik Rissanen  	Axiomatics AB
Anil Tappetla 	Cisco Systems, Inc.
Rich Levinson 	Oracle Corporation
Hal Lockhart 	Oracle Corporation
Seth Proctor 	Sun Microsystems
John Tolbert 	The Boeing Company
Duane DeCouteau Veterans Health Administration



10:05 - 10:15 Administrivia

Approve Minutes
 12 February 2009 TC Meeting Minutes
  http://lists.oasis-open.org/archives/xacml/200902/msg00011.html

	approved no objection

Two xacml events: calls for presentations: (just a reminder nothing new)
 European Identity Conference 2009 (EIC): 5-8 May 2009 Munich, Germany
 European e-ID Management Conference: 25-26 June 2009 London, England
  http://lists.oasis-open.org/archives/xacml/200902/msg00007.html

	Hal speaking at RSA in April - last slot in conf
	this year RSA req to upgrade to advanced talk
	assume people know xacml
	 issues such as we've been grappling w in 3.0
	Rich: agree - go w advanced


10:15 - 11:00 Issues
[Documents posted]
XACML 3.0 Core WD08 uploaded by Erik: (just a reminder, for review)
 http://lists.oasis-open.org/archives/xacml/200902/msg00003.html

[New Issues]
Comment on combining algorithms in Core WD07
 Erik reply directs commenter to WD08
  http://lists.oasis-open.org/archives/xacml/200902/msg00026.html
 Roland responds on WD08
  http://lists.oasis-open.org/archives/xacml-comment/200902/msg00002.html

	Erik: all ok; Roland agrees w direction; small typo w
	 2 vars w same name - Erik will fix

[carryover from previous meetings]

Open Issues in SAML Profile
 updated status from Erik based on last week's discussion:
  http://lists.oasis-open.org/archives/xacml/200902/msg00013.html

   Erik: 2 residual issues on saml profile

    1. Hal: there are hierarchical roles in middle of req
	Erik: should only match against provided attr (PEP native attr)
	 "Supplied attrs" from saml protocol
	Erik: PEP native are key to supplied attrs and recursive
	 from there
	samlp:AdditionalAttrs intended to apply to delegates
	Holders: who these attrs belong to
	HolderAttributes are what is provided

	Alice is holder and search

	2nd attr: applies to entities that have attr "surgeon" who
	 are also all medical staff

	PDP is reqd to do one step; will never match holders against
	what has been provided as additional attr.

	2nd attr: pdp not required to find it; hard to find what's
	 legal and not legal

	point is if someone sends it, it will be ignored

	Hal: one is unique key and other is not - can't tell by
	 looking at it
	Hal: if every req had different hierarchy defn

	Hal: would like to go ahead w option to raise issues later

	2nd example alice is surgeon; no direct inheritance between
	 provided attrs, but if context handler finds that all surgeons
	 are medical staff, ...

	proposal for text at end just before 2nd issue.

	Erik: also msg 13 - thought spec ...


    2. 2nd issue:

	Erik: about policy references;

	can provide policy, also policy ref so pdp can find it
	currently if policyref, then MUST provide policy
	Erik: thinks too stringent; org might have known policy-id
	 and would prefer to refer in supplied policies w/o providing
	 change MUST->MAY
	Hal: valid policies plus policies from repositories are
	 "pile of policies" (need term other than policy set, 
	 PolicyMass: collectively is what decisions are made from,
	  and refs should be able to ref anything in collection;
	 and it can vary from req to req, because supplied policies
	  can differ req->req
	Hal: try to express this more richly than "MAY"

     Also: Hal will post additional saml related proposal: based
	 on ch 9 of ws-fed spec; w same kinds of options; may
	 want to put it in the saml doc; leverage text; will
	 post for now as free-standing doc
	

Multiple Decision Request Proposal
 Erik proposal to add MultiRequest element to core schema:
  http://lists.oasis-open.org/archives/xacml/200902/msg00014.html

    Erik: call it multi-req; 
    Hal: originally was decision, but still has cross product

    Erik: unsure about xml:id - not required to define in schema
	to incl - colleague tried it out but didn't work?
    Hal: xml:id built in.

    Hal: can put xml:id whereever you want; wsu:mumble should match
	xml:mumble - will try to get us context;
    Erik: actually when did it, made a mistake, will look into it.

    Hal: 2 issues w id in sig; other issue was canonicalization
	and blanket rule on all xml:attr - don't want to inherit
	ids inward the way you do w namespaces; xml:id 
    Hal: saml: has some xml:id in it.
    Hal: interested in comments from implementors

Hierarchical profile
 (new discussion from this week)
  Proposed next step suggested by Rich (2/17):
   http://lists.oasis-open.org/archives/xacml/200902/msg00015.html
  Several emails Daniel and Rich between 2/17 and 2/19 in discussing
   above suggestion for next step:
    http://lists.oasis-open.org/archives/xacml/200902/maillist.html
  Summary comments by Rich which give more concrete foundation
   for next step proposed above:
    http://lists.oasis-open.org/archives/xacml/200902/msg00034.html

    Rich: summarized emails

    Hal: clean up terminology
    Hal: single vs multiple roots
    Seth: look at how people actually; what is missing is the intent
	of what spec is trying to do; not walk up hierarchy, but
	here is a resource;
	intent: here is a resource - relation w other resources
	 for convenience want to encode as one thing vs another.
	
    Hal: single vs multi - envision some of this as division of 
	labor between context handler and pdp. current approach
	say ch is responsible for setting things up
	Rich wants to move knowledge of relations to policy side.
    Hal: scheme for xml resources

    Rich: look at last email; look at wd-04; should give enough
	total context to understand whole issue.


 (refs from last week, retained for context)
 v3.0 Hierarchical Resource Profile Proposal (wd-04)
  http://lists.oasis-open.org/archives/xacml/200901/msg00079.html
 Erik's example to incorporate:
  http://lists.oasis-open.org/archives/xacml/200901/msg00037.html
 hierarchical node id datatype (xacml-comment):
  http://lists.oasis-open.org/archives/xacml/200901/msg00056.html
 question on hierarchical progenitor node (xacml-comment):
  http://lists.oasis-open.org/archives/xacml-comment/200901/msg00004.html
 hierarchical examples Erik says are in conformance tests:
  http://lists.oasis-open.org/archives/xacml-comment/200810/msg00003.html

RBAC Profile
 Darran follow-up to discussion in 5-Feb-09 minutes:
 (no change: Darran has indicated will produce proposal that can
  be defined within current RBAC profile functional domain)
  http://lists.oasis-open.org/archives/xacml/200902/msg00008.html