OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes from 4 November 2010 TC Meeting - updated attendance

Time: 13:00 EDT
Tel: 513-241-0892 Access Code: 65998

Minutes from 4 November 2010 XACML TC Meeting:

13:00 - 13:05 Roll Call & Approve Minutes:


Voting Members
Paul Tyson 		Bell Helicopter Textron Inc.
Bill Parducci 		Individual
Naomaru Itoi 		NextLabs, Inc.
Rich Levinson 		Oracle Corporation
Hal Lockhart 		Oracle Corporation
John Tolbert 		The Boeing Company
Mike Davis 		Veterans Health Administration
David Staggs 		Veterans Health Administration

Franz-Stefan Preiss 	IBM

Greg Nevens 		IBM

    Did not achieve quorum at the start of the meeting. Some additional
    members joined later.

Approve Minutes:
21 October 2010 TC Meeting

    Deferred to next meeting

New Oasis TC Proceedings and Definitions (15 Oct 2010)
(same as last meeting: left in place for visibility, reference)

XACML v3 Status (unchanged)
  1 attestation received to date

Issues (carried over from last meeting)
HL7 examples
  There has been a request for clarification with HL7 documents and

  -> [Action] David to propose a specific change and we will discuss
              if it can be handled as errata.

PIP directive proposal: "Telling the PIP where to pull from"
  David Chadwick has raised the concept of additional processing
  associated with PDP <-> PIP interaction:
  additional discussion:
   paul:  http://lists.oasis-open.org/archives/xacml/201010/msg00006.html
   david: http://lists.oasis-open.org/archives/xacml/201010/msg00007.html
   david: http://lists.oasis-open.org/archives/xacml/201010/msg00009.html
   rich:  http://lists.oasis-open.org/archives/xacml/201010/msg00013.html
   david: http://lists.oasis-open.org/archives/xacml/201010/msg00015.html

    Discussion put off until next meeting because David sent regrets
    that he could not be present today.

Guest Presentation (continued)
This presentation will have discussion continued from last meeting.

The pres slides have been uploaded to XACML TC Repository here:

Primelife Project (same background para as last mtg)
  Greg Neven of IBM Research, Zurich will be presenting on overview of
  the Primelife Project with proposals of how XACML and SAML may be
  able to address various requirements associated with this work. A
  presentation from the W3C-sponsored Workshop on Access Control that
  Greg gave may be found here for background reference, a paper entitled:

  "Credential-Based Access Control Extensions to XACML"

Discussion points from last meeting copied from minutes to here for
  reference: today's discussion notes are below:

********* last meeting:
"Discussion: Paul noted that there have been some ontological
  discussions on Attributes that may be applicable to this solution.
  Mike Davis voiced interest in exploring this direction as well.

  H17 noted that they developing simple hierarchical ontologies using
  OWL to the healthcare space.

  Tony raised a question on how anonymized Predicates may be assigned
  to a Subject without compromising anonymity.

  David Chadwick offered that a solution he is working with relies upon
  a localized PIP to address credential validation. Greg noted that
  this is for Attribute values only and not Predicates.

  Paul suggested that the proposed insertion of Conditions into a SAML
  assertion is a concern because they are not the these are not the same
  logical data types."

  follow-up emails since last meeting:
  "Attribute Assertions in XACML request"
   paul:  http://lists.oasis-open.org/archives/xacml/201010/msg00012.html
   greg:  http://lists.oasis-open.org/archives/xacml/201011/msg00001.html

today's mtg:
Hal's notes on Primelife discussion:
  Greg: responded to Hal's question posted by email.
    Condition expression would be used to request assertion asserting
    value of condition. Also used in Assertion to indicate what is
    being asserted.
    Might or might not be used in policy depending on which proposal
    is chosen.

  Paul: commented on the ability to ontologies and reasoning engines
    to implement these capabilities.

  Greg: clarified some of the issue raised by Hal and others by
    reference to slides 11 & 14 in the presentation.

  Rich: outlined an approach to the policy portion of the problem
    using a scheme which was a variation of the simple solution
    presented by Greg and building on the OpenAZ work.

  Hal: asked how the SAML "assertion of a condition" scheme would work
    with anonymous credentials. Greg said that a credential could be
    constructed from which various partial information could be
    extracted, in effect using different signature values. The client
    would hold a credential constructed by the IDP originally.
    The client would be able to construct values to assert different
    expressions from it. It would not be able to do all possible
    XACML conditions, but many useful ones.

  It was agreed to continue discussions on the list.

Rich's notes on PrimeLife discussion at today's meeting:
    Hal: could have PIP evaluate condition: and return boolean
	as attribute value.
    greg: slide 14: 2 possible conditions?
	how to evaluate w external conditions?
      slide 12:
	certified condition?
    hal: property of resource vs property
	"certified condition" a saml assertion certifies a condition
	 to be true (or false);
	condition specified in policy; has missing condition
	what is condition going to be asked for;
	if can teach idp that attr "A" ...
    franz-stephan: what about classes?
    paul: can establish classes of any complexity, etc.
	 defining class of people - can do that - bus rules
	  are represented that way.
    rich: raised issues about where "policy" is actually
	 defined - i.e. in xacml or outside ontological objs?
	 concern is policy concepts leaking outside of xacml
    hal: need more info on crypto aspect of saml
    greg: condition over attrs: signature algorithm over the
	 values of attributes provided.
    hal: wants to know the relation between policy and the
	 evaluation of attrs:
    greg: user has credential, which is a condition over those
	 attrs; certifying of condition will be done by customer.
    hal: will try to pull apart separable issues, plan to
	 present to saml week after next: 16th.

    note: hal suggested slide 7 is really the set of
	use cases to look at to get the concept of the
	expression thing being asked for.

  next call nov 18
  meeting adjourned 2PM ET

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]