Subject: Minutes for 20 May 2010 TC Meeting
Time: 13:00 EDT Tel: 513-241-0892 Access Code: 65998 Agenda/Minutes for 20 May 2010 TC Meeting: 13:00 - 13:05 Roll Call & Approve Minutes: Voting Members Erik Rissanen Axiomatics AB Gareth Richards EMC Corporation Bill Parducci Individual Roy D'Souza Microsoft Corporation Naomaru Itoi NextLabs, Inc. Rich Levinson Oracle Corporation Hal Lockhart Oracle Corporation David Staggs Veterans Health Administration Members Jan Herrmann Individual we have quorum Approve Minutes: 6 May 2010 TC Meeting http://lists.oasis-open.org/archives/xacml/201005/msg00022.html updated: http://lists.oasis-open.org/archives/xacml/201005/msg00026.html hal: any objection to unanimous approval? approved no objection Administrivia IPC Profile - CD 02 uploaded by John Tolbert http://lists.oasis-open.org/archives/xacml/201005/msg00023.html XACML v3 Status XACML CD 30 day Public Review Announced: http://lists.oasis-open.org/archives/xacml/201005/msg00030.html eXtensible Access Control Markup Language (XACML) Version 3.0 SAML 2.0 Profile of XACML Version 2.0 XACML v3.0 Multiple Decision Profile Version 1.0 XACML v3.0 Hierarchical Resource Profile Version 1.0 XACML Intellectual Property Control (IPC) Profile Version 1.0 public review ends June 6, 2010 note: originally there was some distinction separating the schedule for the IPC Profile, but that no longer exists Issues/Topics Key References - repost by Paul http://lists.oasis-open.org/archives/xacml/201005/msg00027.html Hal: attributes w unique values - as far as policy language - amf addresses some of these issues; is against a class of attrs handled in special way; was done in 2.0 which seemed to be a mistake; prefers the language to unambiguously deal w attrs; but req/rsp correlation and using 1 attr value to find other attr values - seems to imply an inherent assumption in xacml - in context of multi decision, hal asserts when initial request is made it is expected that there be sufficient info in the values of the multi-request to allow distinguishing one request from another. ex 2 identical subjects; on one resource is effectively the same request. assert that would get the same answer - has implications for possible correlation of the responses to the requests. Erik: in old discussion concluded that could always add in a distinguishing attr to identify. Hal: initial set of attr values in req-ctx; pip may provide additional attrs that are filled in; believes there is an assumption that obtaining those additional attrs is based on info already in the context; Rich: a request could come in w just resource and subject and the policy could require an action and call out to context handler to get action from a pip. Hal: Paul is not in attendance today, so this discussion is just background for when he is present to further explain the "key" requirements. Ontology Discussion (see minutes from last meeting) Rich: reviewed it and seems like a good description: http://wiki.oasis-open.org/xacml/XACMLandRDF Hal: what about the issue 2 on the list. Rich: on the id of elements in rdf, rich agrees w hal and does not see the issue on distinguishing subjects, resources, and actions by URI alone, since by simply associating the desired URIs w the subject-id, resource-id, and action-id, as values of those respective attributes, that as far as the xacml policy is concerned, the task has been accomplished. Rich: in summary, the wiki refers to an abstract "Common Logic" and presumably the RDF vocabulary etc can be represented in terms of common logic and then reinterpreted within xacml policies as needed as a dialect of that common logic in xacml. Then the RDF world would simply need to funnel its az requests thru a common logic mapper to produce xacml requests. Hal: any other business? No other business. Next meeting June 3, same time, phone#.