Re: FW: [xacml] Groups - Export Control - U.S. (EC-US)

[Erik Rissanen <erik@axiomatics.com>]

John,

See inline.

Tolbert, John W wrote:
> Replies inline...
>
>   
>> Section 2.2, about subject nationality: It uses "RECOMMENDED" for the
>>     
> use of ISO country codes. Maybe this should be MUST to make it more
> interoperable?
>
> JT: We had thought that it might be better to leave it up to
> implementers to decide if they should use 2- or 3-letter country codes.
>   

I think it would be better to make the choice in the spec.

>> Also, it's unclear to me whether the "nationality" attribute lists only
>>     
> those nations where the subject is currently a citizen, or all
> nationalities the subject has possessed. It doesn't say the latter, but
> I am asking because there is also a "current-nationality". What's the
> difference? Is the difference that current nationality is single valued
> while "nationality" may be multi valued. But then, why would the most
> recently assigned nationality be special? 
>
> JT:  Current nationality is used for EAR; all nationalities are
> considered for ITAR.  We would expect that all nationalities would be
> returned in a bag of attribute values for ITAR decisions.
>   

This doesn't quite answer my question. Consider the following example 
(not sure if this would actually work with these countries, so it's 
hypothetical only):

George was born in Vietnam and became a Vietnamese national at birth. 
When he was 3 years old, he moved to Spain and when he became an adult, 
he acquired Spanish citizenship and revoked his Vietnamese citizenship. 
Later he moved to the UK and aquired a UK citizenship as well, but kept 
his Spanish citizenship.

As the text is written, my interpretation is that in this case the 
attributes for him would be:

nationality = {spain, uk}
current-nationality = {uk}

Is this correct? Vietnamese does not show up anywhere, right? If so, I 
propose that current-nationality to be renamed to 
"most-recent-nationality-acquired".

BTW, it would be nice to include an example such as this in the profile.

>> 2.2.5: what is the definition of a "US person". Maybe you can refer to
>>     
> some EC law which defines it?
>
> JT:  See http://www.access.gpo.gov/bis/ear/pdf/744.pdf  
>   

Could you refer to this document in the spec?

>> General: Would it be good if there were some general text which
>>     
> explains why these attributes are sufficient and/or useful for the
> purposes of export control?
>
> JT: See http://www.bis.doc.gov/licensing/exportingbasics.htm.  This is a
> really good resource.
>   

Perhaps a non-normative reference for "more reading" at this link would 
be good to include?

> Thanks
>
> -----Original Message-----
> From: Erik Rissanen [mailto:erik@axiomatics.com]
> Sent: Monday, May 18, 2009 8:02 AM
> To: Tolbert, John W
> Cc: xacml@lists.oasis-open.org
> Subject: Re: [xacml] Groups - Export Control - U.S. (EC-US)
> (xacml-3.0-ec-us-v1-spec-wd-01-en.doc)uploaded
>
> Hello John,
>
> This looks good to me. A couple of notes:
>
> Section 2.2, about subject nationality: It uses "RECOMMENDED" for the
> use of ISO country codes. Maybe this should be MUST to make it more
> interoperable?
>
> Also, it's unclear to me whether the "nationality" attribute lists only
> those nations where the subject is currently a citizen, or all
> nationalities the subject has possessed. It doesn't say the latter, but
> I am asking because there is also a "current-nationality". What's the
> difference? Is the difference that current nationality is single valued
> while "nationality" may be multi valued. But then, why would the most
> recently assigned nationality be special? The doc is probably as you
> intended, but for me reading, it's a bit confusing why it would be like
> this. But I don't know much about the US EC regulations... :-)
>
> Section 2.2.3, the location attribute: Do you need a value for if the
> subject is located outside any country, like on international waters? 
> BTW, the same about citizenship. there are people who have no
> citizenship.
>
> BTW, the location attribute may be difficult to authenticate securely
> since it very easy to proxy a network connection through a middle man
> located wherever in the world.
>
> 2.2.5: what is the definition of a "US person". Maybe you can refer to
> some EC law which defines it?
>
> General: Would it be good if there were some general text which explains
> why these attributes are sufficient and/or useful for the purposes of
> export control?
>
> Best regards,
> Erik
>
>
>
> john.w.tolbert@boeing.com wrote:
>   
>> Working draft for XACML EC-US profile (export control - US).
>>
>>  -- Mr. John Tolbert
>>
>> The document named Export Control - U.S. (EC-US)
>> (xacml-3.0-ec-us-v1-spec-wd-01-en.doc) has been submitted by Mr. John 
>> Tolbert to the OASIS eXtensible Access Control Markup Language (XACML)
>>     
>
>   
>> TC document repository.
>>
>> Document Description:
>> Profile listing attributes for using XACML to make export control (US)
>>     
>
>   
>> authorization decisions.
>>
>> View Document Details:
>> http://www.oasis-open.org/committees/document.php?document_id=32131
>>
>> Download Document:  
>> http://www.oasis-open.org/committees/download.php/32131/xacml-3.0-ec-u
>> s-v1-spec-wd-01-en.doc
>>
>>
>> PLEASE NOTE:  If the above links do not work for you, your email 
>> application may be breaking the link into two pieces.  You may be able
>>     
>
>   
>> to copy and paste the entire link address into the address field of
>>     
> your web browser.
>   
>> -OASIS Open Administration
>>     
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>
>