[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes for 6 May 2010 TC Meeting - UPDATED
Time: 13:00 EDT
Tel: 513-241-0892 Access Code: 65998
note: updated attendance list
Agenda for 6 May 2010 TC Meeting:
10:00 - 10:05 Roll Call & Approve Minutes:
Erik Rissanen
Paul Tyson
Jan Herrmann
Bill Parducci
Roy D'Souza
Rich Levinson
Hal Lockhart
John Tolbert
Duane DeCouteau
Nao Itoi
9/16 appears to be quorum, but need to check the
attendance lists to get up to date
Approve Minutes:
22 April 2010 TC Meeting
http://lists.oasis-open.org/archives/xacml/201004/msg00013.html
Hal: approve minutes? approved: no objection
Hal: add item to agenda on PAOS, will explain later
Adminsitrivia
IAS-WG: (Kantara Identity and Access Group - John Tolbert ref'd):
http://lists.oasis-open.org/archives/xacml/201004/msg00014.html
John: effort initiated at Burton a year ago, and the group
decided Kantara good forum. Had inaugural kickoff recently,
w use cases focused on authorization. Collecting use cases
and are getting variety of responses to work with.
Will attempt to identify gaps, etc. Looking for reasonable
time to meet regularly.
San Diego conf in late July, may present use cases there.
OASIS Identity Management Conference (Wash DC)
(Jane Harnad announce call for presentations):
http://lists.oasis-open.org/archives/xacml/201005/msg00000.html
Dates to Remember:
- Proposals due by – 4 June 2010
- Notifications will be sent by – 7 July 2010
- Conference Dates – 27–28 September 2010
Jan: is Kantara related to User mgd web resources?
John: knows about UMA w Eve etc. - consumer b2b user facing
identity model;
Jan: explained to UMan about XACML, but there was not really
time to examine overlap or other; OAuth is there "main"
central focal point;
hal: they left holes in OAuth: authentication methods, what
does your authorization token look like
Hal: is it enterprise focus or enterprise/govt view vs
John: yes focus is ent/govt as opposed to consumer facing
V3 Status: Erik provided fixes to TC-Admin comments, this email
has links to the comments and the related fixes:
http://lists.oasis-open.org/archives/xacml/201005/msg00009.html
also there were updates to 4 of the above docs:
http://lists.oasis-open.org/archives/xacml/201005/msg00017.html
as well as updates from John for the IPC doc:
http://lists.oasis-open.org/archives/xacml/201005/msg00019.html
Hal: we have sent off 4 of the docs + IPC to go to 2nd pub rev.
have made all the asked for changes. Appears chgs reqd by
tc-admin are "administrative" and don't require recycling
of the votes.
The 4 docs have been changed since 1st pub review, but
rbac, privacy, dsig, and admin have remained constant
so not needed further pub review.
latest versions of documents available have been updated
on the TC main page
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
New Issues:
Old Issues/Discussion:
from Mar 11 agenda/minutes:
******************************
Ontology Decision Point: discussion from last mtg - any follow-up:
http://lists.oasis-open.org/archives/xacml/201002/msg00021.html
original refs:
http://lists.oasis-open.org/archives/xacml-comment/201002/msg00000.html
http://lists.oasis-open.org/archives/xacml-comment/201002/msg00001.html
Paul: there is conf coming up (discussed below):
http://lists.oasis-open.org/archives/xacml/201003/msg00007.html
Paul: update on rdf page;
http://wiki.oasis-open.org/xacml/XACMLandRDF
Paul: do we need to respond to issue on ontology decision point
http://lists.oasis-open.org/archives/xacml-comment/201002/msg00000.html
Hal: we should probably put in wiki since we don't lose it.
******************************
Hal: might want to support more complex relationships in xacml language.
prime candidate is the "is a" relationship. ex. team leader "is a" team
member: i.e. semantic inheritance between attrs.
potential for subtle confusion: ex. employees vs contractors
today: can have attr sources that can expand inheritance.
also: could have semantics in context handler, in the resources,
or in the language (w chgs)
Paul: context handler can be done today, because xacml doesn't prevent it,
any form of entailment not prohibited.
Hal: profile could describe context handler specifics.
Paul: can't say "John Doe" in a xacml req; have to say
the person who is "John Doe"
i.e. xacml is an adjective language and nouns are needed
semantically different from rdf; has semantically blank nodes;
anonymous
wiki page:
http://wiki.oasis-open.org/xacml/XACMLandRDF
Paul: somewhere in enterprise can get attrs; originally wanted to
name the URI; w sparql query: select attrs where doc is URI
req context would be populated with everything that is needed.
Hal: what is the issue of treating the key as an attr. Notion that
everything is described by its attrs is pretty well embedded
in xacml; What is case for describing resources w another
paradigm
Paul: it is shift for using URIs to stand for the thing itself;
implies syntactic differences;
Hal: sees philosophical difference but not operational
Paul: it would require adding an xml tag
would be up to implementers to recognize and utilize it.
Erik:
Paul: no uniqueness reqts on attrs
Erik: idea of needing a unique key; may be different names for things.
Hal: one object can have several URIs, but one URI should address
a specific object.
Paul: keys were brought up once before; might need a key identification
utility; Paul will post refs.
Paul: before we get into details we should look at what we are trying
to do as a TC w the technology.
On wiki page has mentioned 5 topics:
map to categories: resource, action, etc. can be called classes; formality
to close the loop;
From Wiki:
The possible work items of the TC include:
Normative formal RDF/OWL definitions of the XACML ontology (attributes,
resources, subjects, actions).
Add provisions in the request/response syntax to identify resources,
subjects, and actions by URI alone.
Extend the policy language to test ontological conditions such as subclass
membership and class relations.
Guidelines or best practices for semantically-enabled context handlers,
including 2-way translation of XACML request context to RDF model.
Profile describing the use of RDF for attribute metadata.
Erik: could do things w subclasses
Paul: but would need context handler
Erik: context handler ok
Paul: person on list was looking for security classifications,
top secret, secret, etc.
Hal: doesn't scale for large numbers of choices; example w ebxml
has roles that are complete proper subset of other roles,
in a hierarchy.
Paul: RuleML has very simple method to specify some of these relations.
Hal: becomes whole new issue because scope is across many policies
Roy: if integrating reasoning to policy language makes things
difficult; can always put outcome of reasoning into the
request.
Paul: need to distinguish reasoning based on business rules vs those
based on your ontology structure. Rather than put the hierarchy
in they use the context handlers to do this work.
Hal: concerned about policy schemes that are somewhere else besides
the xacml policy;
After disc w Steve Hanna; have gotten around some issues by
using PAOS, need one protocol for policy distribution; client
always posts a pending request until you have something
PAOS is defined in saml as sso profile; looking for more info.
Wants if anyone who has knowledge of realworld operational
experience running paos or something equivalent; don't change
protocol but reverse the sense of; make requests with your
responses.
Next call May 20.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]