OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes for 6 May 2010 TC Meeting

Time: 13:00 EDT
Tel: 513-241-0892 Access Code: 65998

Agenda for 6 May 2010 TC Meeting:

10:00 - 10:05 Roll Call & Approve Minutes:

Erik Rissanen
Paul Tyson
Jan Herrmann
Bill Parducci
Roy D'Souza
Rich Levinson
Hal Lockhart
John Tolbert
Duane DeCouteau

	9/16 appears to be quorum, but need to check the
	attendance lists to get up to date

Approve Minutes:
 22 April 2010 TC Meeting

    Hal: approve minutes? approved: no objection

    Hal: add item to agenda on PAOS, will explain later


 IAS-WG: (Kantara Identity and Access Group - John Tolbert ref'd):

    John: effort initiated at Burton a year ago, and the group
	decided Kantara good forum. Had inaugural kickoff recently,
	w use cases focused on authorization. Collecting use cases
	and are getting variety of responses to work with.
	Will attempt to identify gaps, etc. Looking for reasonable
	time to meet regularly.

	San Diego conf in late July, may present use cases there.

 OASIS Identity Management Conference (Wash DC) 
 (Jane Harnad announce call for presentations):
	Dates to Remember:
	 - Proposals due by – 4 June 2010
	 - Notifications will be sent by – 7 July 2010
	 - Conference Dates – 27–28 September 2010

    Jan: is Kantara related to User mgd web resources?
    John: knows about UMA w Eve etc. - consumer b2b user facing
	identity model;
    Jan: explained to UMan about XACML, but there was not really
	time to examine overlap or other; OAuth is there "main"
	central focal point;
    hal: they left holes in OAuth: authentication methods, what
	does your authorization token look like
        Hal: is it enterprise focus or enterprise/govt view vs
    John: yes focus is ent/govt as opposed to consumer facing

 V3 Status:  Erik provided fixes to TC-Admin comments, this email
  has links to the comments and the related fixes:
  also there were updates to 4 of the above docs:
  as well as updates from John for the IPC doc:

    Hal: we have sent off 4 of the docs + IPC to go to 2nd pub rev.
	have made all the asked for changes. Appears chgs reqd by
	tc-admin are "administrative" and don't require recycling
	of the votes.

	The 4 docs have been changed since 1st pub review, but
	rbac, privacy, dsig, and admin have remained constant
	so not needed further pub review.

 latest versions of documents available have been updated
  on the TC main page 

New Issues:

Old Issues/Discussion:

 from Mar 11 agenda/minutes:
  Ontology Decision Point: discussion from last mtg - any follow-up:
   original refs:
	Paul: there is conf coming up (discussed below):
	Paul: update on rdf page;
	Paul: do we need to respond to issue on ontology decision point
	Hal: we should probably put in wiki since we don't lose it.

    Hal: might want to support more complex relationships in xacml language.
     prime candidate is the "is a" relationship. ex. team leader "is a" team
     member: i.e. semantic inheritance between attrs.
     potential for subtle confusion: ex. employees vs contractors
     today: can have attr sources that can expand inheritance.
     also: could have semantics in context handler, in the resources,
	or in the language (w chgs)

    Paul: context handler can be done today, because xacml doesn't prevent it,
	any form of entailment not prohibited.
    Hal: profile could describe context handler specifics.

    Paul: can't say "John Doe" in a xacml req; have to say
	  the person who is "John Doe"

	i.e. xacml is an adjective language and nouns are needed

	semantically different from rdf; has semantically blank nodes;

	wiki page:

    Paul: somewhere in enterprise can get attrs; originally wanted to
	name the URI; w sparql query: select attrs where doc is URI
	req context would be populated with everything that is needed.
    Hal: what is the issue of treating the key as an attr. Notion that
	everything is described by its attrs is pretty well embedded
	in xacml; What is case for describing resources w another

    Paul: it is shift for using URIs to stand for the thing itself;
	implies syntactic differences;

    Hal: sees philosophical difference but not operational

    Paul: it would require adding an xml tag 
	would be up to implementers to recognize and utilize it.


    Paul: no uniqueness reqts on attrs

    Erik: idea of needing a unique key; may be different names for things.

    Hal: one object can have several URIs, but one URI should address
	a specific object.

    Paul: keys were brought up once before; might need a key identification
     utility; Paul will post refs.

    Paul: before we get into details we should look at what we are trying
	to do as a TC w the technology.

	On wiki page has mentioned 5 topics:

	map to categories: resource, action, etc. can be called classes; formality
	 to close the loop; 

 From Wiki:
  The possible work items of the TC include: 

    Normative formal RDF/OWL definitions of the XACML ontology (attributes, 
	resources, subjects, actions). 

    Add provisions in the request/response syntax to identify resources, 
	subjects, and actions by URI alone. 

    Extend the policy language to test ontological conditions such as subclass 
	membership and class relations. 

    Guidelines or best practices for semantically-enabled context handlers, 
	including 2-way translation of XACML request context to RDF model. 

    Profile describing the use of RDF for attribute metadata. 

    Erik: could do things w subclasses
    Paul: but would need context handler
    Erik: context handler ok
    Paul: person on list was looking for security classifications, 
	top secret, secret, etc.
    Hal: doesn't scale for large numbers of choices; example w ebxml
	has roles that are complete proper subset of other roles,
	in a hierarchy.

    Paul: RuleML has very simple method to specify some of these relations.
    Hal: becomes whole new issue because scope is across many policies

    Roy: if integrating reasoning to policy language makes things 
	difficult; can always put outcome of reasoning into the

    Paul: need to distinguish reasoning based on business rules vs those
	based on your ontology structure. Rather than put the hierarchy
 	in they use the context handlers to do this work.

    Hal: concerned about policy schemes that are somewhere else besides
	the xacml policy;
	After disc w Steve Hanna; have gotten around some issues by
	using PAOS, need one protocol for policy distribution; client
	always posts a pending request until you have something
	PAOS is defined in saml as sso profile; looking for more info.

	Wants if anyone who has knowledge of realworld operational
	experience running paos or something equivalent; don't change
	protocol but reverse the sense of; make requests with your

  Next call May 20.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]