Submissions of XACML updates to ITU: questions

[James Bryce Clark <jamie.clark@oasis-open.org>]

Summary:  We must pass on some estimates to ITU about likely
availability of XACML v3 and related/profile material.  See the
questions (a), (b) & (c) below.

As you know, XACML v2 was submitted to and approved by ITU-T in 2006
as ITU Recommendation X.1142.  (See
http://www.oasis-open.org/apps/org/workgroup/xacml/email/archives/200605/msg00003.html)
 I believe this included all elements then part of the 2005 OASIS
Standard, e.g., the then-current RBAC, SAML, XML D-Sig and privacy
policy profiles.

ITU-T's Study Group 17 on Security, the host panel for the 2006
submission who now has reorganized for next multi-year study period,
formally has asked us to submit relevant updates of XACML, for similar
transposition.  OASIS' Liaison Policy
(http://www.oasis-open.org/committees/liaison_policy.php#submitwork)
suggests that we consult with the TC about this.

As you probably know, generally we send only artifacts approved under
the TC Process at the "OASIS Standard" and "Approved Errata" levels up
to the global de-jure SSOs.  Currently, I am aware of a number of
XACML items which may be the basis for a submission to ITU, but none
of which have yet reached that approval level:

1.  January 2008 set of v2 errata that apparently were not submitted
as official "Approved Errata" under our rules
2.  Ongoing work on XACML v3 core (current draft Apr 2009, see
http://lists.oasis-open.org/archives/tc-announce/200905/msg00006.html)
3.  Ongoing work on XACML v2 for Healthcare (current draft Aug 2009)
4.  Additional v3 profiles underway including export compliance (in
public review now) , OpenDocument, IP control (in public review now),
web services and PDP metadata.

In responding to ITU, we would like to:

(a) explain whether the 2008 v2.0 errata are at a level that ought to
be sent to ITU, or why not;
(b) offer a nonbinding estimate date for the OASIS standard submission
of XACML v3.0; and
(c) offer a comment on the likelihood of profiles and ancillary
material being available, rolled up and inserted as part of such a
submission.

Giving the ITU panel a reasonable view into our plans and timing,
based on the TC's expected progress, is a necessary part of our
interorganizational collaboration.  It's to be expected that the ITU
authorities wish their versions also to be kept current with our work.

When and if we make a formal submission, it can be done at the request
of the TC, under Section 1(d) of our Liaison Policy, by a Special
Majority Vote of the TC.  Alternatively, if we have committed to ITU
to send future major versions (as often is requested, and I believe we
did in the 2006 submission), Section 5(b) of the Liaison Policy also
permits the OASIS executive to direct the submission, subject to
appeal.

For now, though, our need is to compose an answer to the three
questions (a), (b) and (c) above, with the help of the TC's experts.
Feedback is welcome and requested, on this list or individually.

Thanks for your attention and happy holidays.

~ James Bryce Clark
~ General Counsel, OASIS
~ http://www.oasis-open.org/who/staff.php#clark