[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: FW: [xacml] Groups - Export Control - U.S. (EC-US)
John, See inline. Tolbert, John W wrote: > Replies inline... > > >> Section 2.2, about subject nationality: It uses "RECOMMENDED" for the >> > use of ISO country codes. Maybe this should be MUST to make it more > interoperable? > > JT: We had thought that it might be better to leave it up to > implementers to decide if they should use 2- or 3-letter country codes. > I think it would be better to make the choice in the spec. >> Also, it's unclear to me whether the "nationality" attribute lists only >> > those nations where the subject is currently a citizen, or all > nationalities the subject has possessed. It doesn't say the latter, but > I am asking because there is also a "current-nationality". What's the > difference? Is the difference that current nationality is single valued > while "nationality" may be multi valued. But then, why would the most > recently assigned nationality be special? > > JT: Current nationality is used for EAR; all nationalities are > considered for ITAR. We would expect that all nationalities would be > returned in a bag of attribute values for ITAR decisions. > This doesn't quite answer my question. Consider the following example (not sure if this would actually work with these countries, so it's hypothetical only): George was born in Vietnam and became a Vietnamese national at birth. When he was 3 years old, he moved to Spain and when he became an adult, he acquired Spanish citizenship and revoked his Vietnamese citizenship. Later he moved to the UK and aquired a UK citizenship as well, but kept his Spanish citizenship. As the text is written, my interpretation is that in this case the attributes for him would be: nationality = {spain, uk} current-nationality = {uk} Is this correct? Vietnamese does not show up anywhere, right? If so, I propose that current-nationality to be renamed to "most-recent-nationality-acquired". BTW, it would be nice to include an example such as this in the profile. >> 2.2.5: what is the definition of a "US person". Maybe you can refer to >> > some EC law which defines it? > > JT: See http://www.access.gpo.gov/bis/ear/pdf/744.pdf > Could you refer to this document in the spec? >> General: Would it be good if there were some general text which >> > explains why these attributes are sufficient and/or useful for the > purposes of export control? > > JT: See http://www.bis.doc.gov/licensing/exportingbasics.htm. This is a > really good resource. > Perhaps a non-normative reference for "more reading" at this link would be good to include? > Thanks > > -----Original Message----- > From: Erik Rissanen [mailto:erik@axiomatics.com] > Sent: Monday, May 18, 2009 8:02 AM > To: Tolbert, John W > Cc: xacml@lists.oasis-open.org > Subject: Re: [xacml] Groups - Export Control - U.S. (EC-US) > (xacml-3.0-ec-us-v1-spec-wd-01-en.doc)uploaded > > Hello John, > > This looks good to me. A couple of notes: > > Section 2.2, about subject nationality: It uses "RECOMMENDED" for the > use of ISO country codes. Maybe this should be MUST to make it more > interoperable? > > Also, it's unclear to me whether the "nationality" attribute lists only > those nations where the subject is currently a citizen, or all > nationalities the subject has possessed. It doesn't say the latter, but > I am asking because there is also a "current-nationality". What's the > difference? Is the difference that current nationality is single valued > while "nationality" may be multi valued. But then, why would the most > recently assigned nationality be special? The doc is probably as you > intended, but for me reading, it's a bit confusing why it would be like > this. But I don't know much about the US EC regulations... :-) > > Section 2.2.3, the location attribute: Do you need a value for if the > subject is located outside any country, like on international waters? > BTW, the same about citizenship. there are people who have no > citizenship. > > BTW, the location attribute may be difficult to authenticate securely > since it very easy to proxy a network connection through a middle man > located wherever in the world. > > 2.2.5: what is the definition of a "US person". Maybe you can refer to > some EC law which defines it? > > General: Would it be good if there were some general text which explains > why these attributes are sufficient and/or useful for the purposes of > export control? > > Best regards, > Erik > > > > john.w.tolbert@boeing.com wrote: > >> Working draft for XACML EC-US profile (export control - US). >> >> -- Mr. John Tolbert >> >> The document named Export Control - U.S. (EC-US) >> (xacml-3.0-ec-us-v1-spec-wd-01-en.doc) has been submitted by Mr. John >> Tolbert to the OASIS eXtensible Access Control Markup Language (XACML) >> > > >> TC document repository. >> >> Document Description: >> Profile listing attributes for using XACML to make export control (US) >> > > >> authorization decisions. >> >> View Document Details: >> http://www.oasis-open.org/committees/document.php?document_id=32131 >> >> Download Document: >> http://www.oasis-open.org/committees/download.php/32131/xacml-3.0-ec-u >> s-v1-spec-wd-01-en.doc >> >> >> PLEASE NOTE: If the above links do not work for you, your email >> application may be breaking the link into two pieces. You may be able >> > > >> to copy and paste the entire link address into the address field of >> > your web browser. > >> -OASIS Open Administration >> > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]