[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes 19 February 2009 TC meeting
Time: 10:00 am EDT Tel: 512-225-3050 Access Code: 65998 Proposed Agenda for 19-Feb-09 TC Meeting: 10:00 - 10:05 Roll Call Anil Tappetla regained voting status at end of prev mtg. Voting Members Erik Rissanen Axiomatics AB Anil Tappetla Cisco Systems, Inc. Rich Levinson Oracle Corporation Hal Lockhart Oracle Corporation Seth Proctor Sun Microsystems John Tolbert The Boeing Company Duane DeCouteau Veterans Health Administration 10:05 - 10:15 Administrivia Approve Minutes 12 February 2009 TC Meeting Minutes http://lists.oasis-open.org/archives/xacml/200902/msg00011.html approved no objection Two xacml events: calls for presentations: (just a reminder nothing new) European Identity Conference 2009 (EIC): 5-8 May 2009 Munich, Germany European e-ID Management Conference: 25-26 June 2009 London, England http://lists.oasis-open.org/archives/xacml/200902/msg00007.html Hal speaking at RSA in April - last slot in conf this year RSA req to upgrade to advanced talk assume people know xacml issues such as we've been grappling w in 3.0 Rich: agree - go w advanced 10:15 - 11:00 Issues [Documents posted] XACML 3.0 Core WD08 uploaded by Erik: (just a reminder, for review) http://lists.oasis-open.org/archives/xacml/200902/msg00003.html [New Issues] Comment on combining algorithms in Core WD07 Erik reply directs commenter to WD08 http://lists.oasis-open.org/archives/xacml/200902/msg00026.html Roland responds on WD08 http://lists.oasis-open.org/archives/xacml-comment/200902/msg00002.html Erik: all ok; Roland agrees w direction; small typo w 2 vars w same name - Erik will fix [carryover from previous meetings] Open Issues in SAML Profile updated status from Erik based on last week's discussion: http://lists.oasis-open.org/archives/xacml/200902/msg00013.html Erik: 2 residual issues on saml profile 1. Hal: there are hierarchical roles in middle of req Erik: should only match against provided attr (PEP native attr) "Supplied attrs" from saml protocol Erik: PEP native are key to supplied attrs and recursive from there samlp:AdditionalAttrs intended to apply to delegates Holders: who these attrs belong to HolderAttributes are what is provided Alice is holder and search 2nd attr: applies to entities that have attr "surgeon" who are also all medical staff PDP is reqd to do one step; will never match holders against what has been provided as additional attr. 2nd attr: pdp not required to find it; hard to find what's legal and not legal point is if someone sends it, it will be ignored Hal: one is unique key and other is not - can't tell by looking at it Hal: if every req had different hierarchy defn Hal: would like to go ahead w option to raise issues later 2nd example alice is surgeon; no direct inheritance between provided attrs, but if context handler finds that all surgeons are medical staff, ... proposal for text at end just before 2nd issue. Erik: also msg 13 - thought spec ... 2. 2nd issue: Erik: about policy references; can provide policy, also policy ref so pdp can find it currently if policyref, then MUST provide policy Erik: thinks too stringent; org might have known policy-id and would prefer to refer in supplied policies w/o providing change MUST->MAY Hal: valid policies plus policies from repositories are "pile of policies" (need term other than policy set, PolicyMass: collectively is what decisions are made from, and refs should be able to ref anything in collection; and it can vary from req to req, because supplied policies can differ req->req Hal: try to express this more richly than "MAY" Also: Hal will post additional saml related proposal: based on ch 9 of ws-fed spec; w same kinds of options; may want to put it in the saml doc; leverage text; will post for now as free-standing doc Multiple Decision Request Proposal Erik proposal to add MultiRequest element to core schema: http://lists.oasis-open.org/archives/xacml/200902/msg00014.html Erik: call it multi-req; Hal: originally was decision, but still has cross product Erik: unsure about xml:id - not required to define in schema to incl - colleague tried it out but didn't work? Hal: xml:id built in. Hal: can put xml:id whereever you want; wsu:mumble should match xml:mumble - will try to get us context; Erik: actually when did it, made a mistake, will look into it. Hal: 2 issues w id in sig; other issue was canonicalization and blanket rule on all xml:attr - don't want to inherit ids inward the way you do w namespaces; xml:id Hal: saml: has some xml:id in it. Hal: interested in comments from implementors Hierarchical profile (new discussion from this week) Proposed next step suggested by Rich (2/17): http://lists.oasis-open.org/archives/xacml/200902/msg00015.html Several emails Daniel and Rich between 2/17 and 2/19 in discussing above suggestion for next step: http://lists.oasis-open.org/archives/xacml/200902/maillist.html Summary comments by Rich which give more concrete foundation for next step proposed above: http://lists.oasis-open.org/archives/xacml/200902/msg00034.html Rich: summarized emails Hal: clean up terminology Hal: single vs multiple roots Seth: look at how people actually; what is missing is the intent of what spec is trying to do; not walk up hierarchy, but here is a resource; intent: here is a resource - relation w other resources for convenience want to encode as one thing vs another. Hal: single vs multi - envision some of this as division of labor between context handler and pdp. current approach say ch is responsible for setting things up Rich wants to move knowledge of relations to policy side. Hal: scheme for xml resources Rich: look at last email; look at wd-04; should give enough total context to understand whole issue. (refs from last week, retained for context) v3.0 Hierarchical Resource Profile Proposal (wd-04) http://lists.oasis-open.org/archives/xacml/200901/msg00079.html Erik's example to incorporate: http://lists.oasis-open.org/archives/xacml/200901/msg00037.html hierarchical node id datatype (xacml-comment): http://lists.oasis-open.org/archives/xacml/200901/msg00056.html question on hierarchical progenitor node (xacml-comment): http://lists.oasis-open.org/archives/xacml-comment/200901/msg00004.html hierarchical examples Erik says are in conformance tests: http://lists.oasis-open.org/archives/xacml-comment/200810/msg00003.html RBAC Profile Darran follow-up to discussion in 5-Feb-09 minutes: (no change: Darran has indicated will produce proposal that can be defined within current RBAC profile functional domain) http://lists.oasis-open.org/archives/xacml/200902/msg00008.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]