[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: raw notes from f2f day 1: 8:30-11:00 AM - UPDATED
6/28: UPDATED (added bill to phone attendees) xacml f2f day one: wireless logon: guest zxmJPy98 (good today only) doron can't make it; david chadwick is tied up at airport, will miss AM today attendees: hal rich levinson erik andy greg nevin jan herrmann david choy david button john tolbert phone: paul tyson bill parducci Erik: submitted wd-21 going thru chgs p 45 sec 5.1 combining parameters 5.14 combining params policy 7.12 alg applies to rules not target 7.13 same as above 7.19.3 remove word and p 105 p 119 quotes on type p 120 deleted a plural 's' p 121 added quotes around true p 122 added u to urn p 127 heading chg p 128 2 attr ids w new ones p 129 attr cats; multiple times p 130 3.0 datatype p 134 C.1 clarified text p 134 Node children, evaluate also obl, adv not determ paul: caught p-code bug length of; erik fixed as we go in 4 places, in wd-22 p 136 word 'any' p 142 dup 's' removed jan: issue: string not equals has usability issues hal: easy to find things that match, not so easy to find things that don't match, w hash index erik: it's a trap to use ne in targets; only works under specific situations; need one and only jan: svc a,b,c,d,e in root policy say svc ne a, guarantee that descendant policy wont be finding it; erik: could access by other means, like host names; jan: if user has mult roles, then role ne; erik: if want to exclude role, stuff and foo will not work w target; stuff str ne true will match; erik: can't have conditions in policy,policyset paul: allof, anyof erik: only soln is to add condition to policy,policyset user can't find do for which he is the author paul: adding not element makes it indexable; blurs target and condition; hal: original motive not incl condition was to avoid processing overhead paul: why have targets erik: indexing policies erik: would prefer cond to more powerful target erik: target has builtin anyof paul: reevaluate scope of variable defns erik: obl at policyset level, can't have variable defns at policyset level; erik: versioning policies leads to difficulties; redundant with repository stores; easier to do refs w/o the version in xacml erik: usability issues for policy references; doesn't say you have to pick latest. hal: every policy, policyset must have unique identifier; only place we make use is policyset refs; erik: sec 5.10 end; version matchiing do we need a target if we have condition; jan: why does ver play role in poliicy eval? erik: ex enterprise container that might be versioned; hal: not fundamentally different; hal: federation of policy admin; having them come together at policy dist time; jan: can put select query to evaluate policy; erik: select ref in policy creates tight integration betwen policy and storage mechanism; hal: func behavior specifiable; does not want storage to impact; erik: nothing said about id: how to find policy? paul: seems to tie into friendly pollcyids hal: general rules against deleting, but that has issues hal: general discussion on futures; paul was web friendly policyids your issue? paul: issue is composition of policy sets w versioning need some kind of defn to resolve multiple refs. if you don't know where to start, you are lost; erik: even when xml catalog; can define what find is. always retrieving policy ref from web is too specific paul: how to manage federated policies; need to erik: file protocol; david: where policies ref'd from undefined; have to talk to somebody at runtime to get initial ref; jan: sql ref to db; different ways to ref policy john: need a minimum spec; can't leave to vendors paul: no company owns export laws hal: orgs have tax rule impls expects policy acquisition not to be general runtime feature; only do stuff on fly that specifi request hal: cohort: policies that are enforced at same time; david choy: use cases: building large scale component systems; policies won't look like xacml; at some point policies need to be hal: admin fcn: creates policies; puts them in some kind of master repository; out in the world are pdps; one func is to group policy and policysets; 2nd is to group cohorts; need some kind of decision alg in pap to decide where the policies go, i.e. to which pdp; andy: is this preeval of some policies? hal: basically, yes; hal: people said what are specific policies? david: for example all policies that apply to specific appl that you send to mgr of that appl hal: cohorts are also like a policyset; jan: things you can put in policy reference dictate what mechanisms; file system, sql, xpointer, url; hal: there are some defns on wiki about policy distr; rich: there are several dimensions to the problem hal: issue of policy references (version was too much); jan: issue is that there is no defined mechanism for defining references; greg: stdize policy refs: get policyIdReference in policy query; in resp get back policyset. looking at saml prof of xacml; hal: issue 62 on: http://wiki.oasis-open.org/xacml/IssuesList has defn of "cohort" as group of related policies david: from deploy perspective: need all the pieces if admin to support policy model directly, then is suitable for human user to administrate; if look at xacml model; highly expressive; question is if suitable for human to administrator; talking about the model, not the gui. hal: it will evolve starting from assembler to java metaphorically; assumptions: policies built from tools erik: there are xacml characteristics like combining algorithm that are direct concepts in xacml; not the xml concepts; david: looking of examples of people putting this to use; looking for more than authoring; it is dealing w security challenge and how to manage policies out there; ex. somebody created whole bunch of policies in db; want to change authority on certain resources: which policies do I update? do I create new ones? until this is defined, don't know how to do this. erik: day to day chgs happen to attrs; but not workflow or "official" policies; john: obj security; have seen demos where can take english lang stuff that puts out xacml; rich: policy dialects or design paradigms john: wanted to invite; andrea westerinen has done policy analysis; also lang from obj security they have different approaches to same problems the more we know; hal/erik: agenda: let's drop json since david b not here; erik: logistics for social - anne may be interested hal: legal seafood;
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]