RE: [xacml] XACML versions and ITU

["Barbir, Abbie" <abbie.barbir@bankofamerica.com>]

Hal
We can submit 3.o to itu as an info and asking for review and feed back
We can do the same for errata on 2.0 and work on having it as approved one
This will allow itu to have a copy of know 2.o errata to be used by itu people

I can format the Export Compliance-US Profile and the Intellectual Property Control Profile into itu if need be

Regards
Abbie


-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@oracle.com] 
Sent: Thursday, February 17, 2011 11:34 AM
To: Jamie Clark; xacml@lists.oasis-open.org
Cc: Dee Schur; Robin Cover
Subject: RE: [xacml] XACML versions and ITU

Jamie,

I believe the XACML TC is quite willing and eager to share our completed work with ITU-T. As far as I am aware no one thinks there is a downside to doing this, other than the actual work involved.

As you note, only the XSPA Profile has reached the level of OASIS Standard. It should certainly be submitted to ITU-T. However, there is a slight complicating factor. As I understand it, XSPA is based on healthcare industry standards which are quite US-specific. I further understand that work is in progress to develop a more international version of the healthcare standards which in turn may eventually result in an altered form of the XSPA profile. I do not have any information on the venue or timeframe of this work. For more information on this, contact Mike Davis [Mike.Davis@va.gov] or David Staggs [David.Staggs@va.gov]. As a consequence, this profile may not be of as compelling interest to ITU-T as it might otherwise have been.

As you also noted, XACML 3.0 has reached CS. This represents the bulk of the work of the TC over the last 5 years. Some of the new functionality is quite complex a and as far as is known there is only one implementation in existence and perforce, no interoperability testing has been done. I would suggest that we share this work with ITU-T for informational purposes, but that it would be premature to cast it as an ITU-T recommendation.

There are two additional Profiles which have reached CS which are the Export Compliance-US Profile and the Intellectual Property Control Profile. Although we have not yet received any attestations of use, these Profiles are much simpler and more straightforward and we have more reason to have confidence in their essential correctness. Furthermore they are not dependant on any new features of the 3.0 specifications, but may be used with XACML 2.0 or earlier. Additionally, they represent a type of profile we are interested in encouraging, namely profiles of attributes and values in some application domain. The only downside is that the EC Profile is probably only of interest to people involved in export for the US. However, both are useful as models for future work. I would suggest we share these with ITU-T also.

Finally we come to the somewhat sore subject of Errata. Although there are a number of known Errata to XACML 2.0 and the TC has been maintaining an updated version of the 2.0 specifications, with the Errata applied, we have not been able to find a volunteer to create an Errata difference file suitable to vote as Approved Errata according to the TC Process. The relevant changes have been included in XACML 3.0, so I suppose eventually 2.0 Errata will become moot, but at the moment it is the basis of most implementations. In any event, 2.0 corresponds to the ITU-T recommendation. I have no suggestions for resolving this issue.

Hal

> -----Original Message-----
> From: Jamie Clark [mailto:jamie.clark@oasis-open.org]
> Sent: Friday, February 11, 2011 1:30 PM
> To: xacml@lists.oasis-open.org
> Cc: Dee Schur; Robin Cover
> Subject: [xacml] XACML versions and ITU
> 
> 
> Good morning. I'm writing to inquire and provide information about 
> plans for future continued interoperability between the XACML TC and 
> the ITU panel (SG17) that endorsed XACML v2 in 2006.
> 
> At the institutional level, OASIS and ITU are discussing the 
> continuing maintenance of the various specs which we have shared 
> (resulting in concurrent official ITU-T Recommendation status), which 
> as you know includes SAML.
> 
> The ITU community generally expects that, as we version or update 
> standards with stable new releases, we will keep our strategic partner 
> in the loop, so to speak, by also submitting them forward.  Otherwise 
> we put other collaborative SDOs in a tough position, if  OASIS has 
> released, and tooling is out, creating user demand for a final vN+1, 
> but at a time when ISO, ITU or etc. only has the prior vN.  We think 
> that a number of our best standards have benefited greatly from ISO, 
> ITU, JTC1 or similar global de jure sanction, particularly in global 
> government adoption.  So we'd like to faithfully maintain those 
> partnerships, within the boundaries of our rules & what our members 
> support.
> 
> ITU SG17 has formally asked us for a statement of intent, and we 
> should reply in a clear manner, well in advance of ITU SG17's next 
> working plenary in April 2011.  .
> 
> In the case of XACML, we have a v3.0 set plus profiles, which have not 
> advanced to OASIS Standard status, the usual gating factor for 
> re-submission to external SDOs under our Liaison Policy.  Several new 
> members have joined the TC, perhaps raising the ease of collecting 
> statements of use and making an OS submission.
> 
> We also have the XSPA-XACML for Healthcare profile v1, approved as an 
> OASIS Standard in November 2009.  It might seem off to an external 
> constituency that we confer that highest level of approval, but do not 
> forward it to the other SDO collaboratively endorsing the work.  That 
> same comment would apply to any definitive stable published errata 
> applicable to v2.0.  Is there any reason *not* to share those 
> completed artifacts with ITU at this time?
> 
> The TC's views on this should be shared with ITU.  I will make myself 
> available at a TC teleconference (or whatever sort of e-mail or 
> similar remote exchange might work better) in order to seek input, 
> answer any questions that I can, and discuss this further.
> 
> Thanks for your time & attention on a tough constellation of issues.
> 
> Regards  Jamie
> 
> ~ James Bryce Clark
> ~ General Counsel, OASIS
> ~ http://www.oasis-open.org/who/staff.php#clark  @JamieXML
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that 
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
> oups.php
> 
> 
>

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

----------------------------------------------------------------------
This message w/attachments (message) is intended solely for the use of the intended recipient(s) and may contain information that is privileged, confidential or proprietary. If you are not an intended recipient, please notify the sender, and then please delete and destroy all copies and attachments, and be advised that any review or dissemination of, or the taking of any action in reliance on, the information contained in or attached to this message is prohibited. 
Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Sender. Subject to applicable law, Sender may intercept, monitor, review and retain e-communications (EC) traveling through its networks/systems and may produce any such EC to regulators, law enforcement, in litigation and as required by law. 
The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or free of errors or viruses. 

References to "Sender" are references to any subsidiary of Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this EC may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: 
http://www.bankofamerica.com/emaildisclaimer. By messaging with Sender you consent to the foregoing.