[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes for 6 May 2010 TC Meeting - UPDATED
Time: 13:00 EDT Tel: 513-241-0892 Access Code: 65998 note: updated attendance list Agenda for 6 May 2010 TC Meeting: 10:00 - 10:05 Roll Call & Approve Minutes: Erik Rissanen Paul Tyson Jan Herrmann Bill Parducci Roy D'Souza Rich Levinson Hal Lockhart John Tolbert Duane DeCouteau Nao Itoi 9/16 appears to be quorum, but need to check the attendance lists to get up to date Approve Minutes: 22 April 2010 TC Meeting http://lists.oasis-open.org/archives/xacml/201004/msg00013.html Hal: approve minutes? approved: no objection Hal: add item to agenda on PAOS, will explain later Adminsitrivia IAS-WG: (Kantara Identity and Access Group - John Tolbert ref'd): http://lists.oasis-open.org/archives/xacml/201004/msg00014.html John: effort initiated at Burton a year ago, and the group decided Kantara good forum. Had inaugural kickoff recently, w use cases focused on authorization. Collecting use cases and are getting variety of responses to work with. Will attempt to identify gaps, etc. Looking for reasonable time to meet regularly. San Diego conf in late July, may present use cases there. OASIS Identity Management Conference (Wash DC) (Jane Harnad announce call for presentations): http://lists.oasis-open.org/archives/xacml/201005/msg00000.html Dates to Remember: - Proposals due by – 4 June 2010 - Notifications will be sent by – 7 July 2010 - Conference Dates – 27–28 September 2010 Jan: is Kantara related to User mgd web resources? John: knows about UMA w Eve etc. - consumer b2b user facing identity model; Jan: explained to UMan about XACML, but there was not really time to examine overlap or other; OAuth is there "main" central focal point; hal: they left holes in OAuth: authentication methods, what does your authorization token look like Hal: is it enterprise focus or enterprise/govt view vs John: yes focus is ent/govt as opposed to consumer facing V3 Status: Erik provided fixes to TC-Admin comments, this email has links to the comments and the related fixes: http://lists.oasis-open.org/archives/xacml/201005/msg00009.html also there were updates to 4 of the above docs: http://lists.oasis-open.org/archives/xacml/201005/msg00017.html as well as updates from John for the IPC doc: http://lists.oasis-open.org/archives/xacml/201005/msg00019.html Hal: we have sent off 4 of the docs + IPC to go to 2nd pub rev. have made all the asked for changes. Appears chgs reqd by tc-admin are "administrative" and don't require recycling of the votes. The 4 docs have been changed since 1st pub review, but rbac, privacy, dsig, and admin have remained constant so not needed further pub review. latest versions of documents available have been updated on the TC main page http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml New Issues: Old Issues/Discussion: from Mar 11 agenda/minutes: ****************************** Ontology Decision Point: discussion from last mtg - any follow-up: http://lists.oasis-open.org/archives/xacml/201002/msg00021.html original refs: http://lists.oasis-open.org/archives/xacml-comment/201002/msg00000.html http://lists.oasis-open.org/archives/xacml-comment/201002/msg00001.html Paul: there is conf coming up (discussed below): http://lists.oasis-open.org/archives/xacml/201003/msg00007.html Paul: update on rdf page; http://wiki.oasis-open.org/xacml/XACMLandRDF Paul: do we need to respond to issue on ontology decision point http://lists.oasis-open.org/archives/xacml-comment/201002/msg00000.html Hal: we should probably put in wiki since we don't lose it. ****************************** Hal: might want to support more complex relationships in xacml language. prime candidate is the "is a" relationship. ex. team leader "is a" team member: i.e. semantic inheritance between attrs. potential for subtle confusion: ex. employees vs contractors today: can have attr sources that can expand inheritance. also: could have semantics in context handler, in the resources, or in the language (w chgs) Paul: context handler can be done today, because xacml doesn't prevent it, any form of entailment not prohibited. Hal: profile could describe context handler specifics. Paul: can't say "John Doe" in a xacml req; have to say the person who is "John Doe" i.e. xacml is an adjective language and nouns are needed semantically different from rdf; has semantically blank nodes; anonymous wiki page: http://wiki.oasis-open.org/xacml/XACMLandRDF Paul: somewhere in enterprise can get attrs; originally wanted to name the URI; w sparql query: select attrs where doc is URI req context would be populated with everything that is needed. Hal: what is the issue of treating the key as an attr. Notion that everything is described by its attrs is pretty well embedded in xacml; What is case for describing resources w another paradigm Paul: it is shift for using URIs to stand for the thing itself; implies syntactic differences; Hal: sees philosophical difference but not operational Paul: it would require adding an xml tag would be up to implementers to recognize and utilize it. Erik: Paul: no uniqueness reqts on attrs Erik: idea of needing a unique key; may be different names for things. Hal: one object can have several URIs, but one URI should address a specific object. Paul: keys were brought up once before; might need a key identification utility; Paul will post refs. Paul: before we get into details we should look at what we are trying to do as a TC w the technology. On wiki page has mentioned 5 topics: map to categories: resource, action, etc. can be called classes; formality to close the loop; From Wiki: The possible work items of the TC include: Normative formal RDF/OWL definitions of the XACML ontology (attributes, resources, subjects, actions). Add provisions in the request/response syntax to identify resources, subjects, and actions by URI alone. Extend the policy language to test ontological conditions such as subclass membership and class relations. Guidelines or best practices for semantically-enabled context handlers, including 2-way translation of XACML request context to RDF model. Profile describing the use of RDF for attribute metadata. Erik: could do things w subclasses Paul: but would need context handler Erik: context handler ok Paul: person on list was looking for security classifications, top secret, secret, etc. Hal: doesn't scale for large numbers of choices; example w ebxml has roles that are complete proper subset of other roles, in a hierarchy. Paul: RuleML has very simple method to specify some of these relations. Hal: becomes whole new issue because scope is across many policies Roy: if integrating reasoning to policy language makes things difficult; can always put outcome of reasoning into the request. Paul: need to distinguish reasoning based on business rules vs those based on your ontology structure. Rather than put the hierarchy in they use the context handlers to do this work. Hal: concerned about policy schemes that are somewhere else besides the xacml policy; After disc w Steve Hanna; have gotten around some issues by using PAOS, need one protocol for policy distribution; client always posts a pending request until you have something PAOS is defined in saml as sso profile; looking for more info. Wants if anyone who has knowledge of realworld operational experience running paos or something equivalent; don't change protocol but reverse the sense of; make requests with your responses. Next call May 20.