raw notes from f2f day 1: 8:30-11:00 AM - UPDATED

[rich levinson <rich.levinson@oracle.com>]

     6/28:
       UPDATED (added bill to phone attendees)

       xacml f2f day one:

	wireless logon:

		guest
		zxmJPy98 (good today only)

	doron can't make it;
	david chadwick is tied up at airport, will miss AM today

	attendees:

	hal
	rich levinson
	erik
	andy
	greg nevin
	jan herrmann
	david choy
	david button
	john tolbert

	phone:
	paul tyson
	bill parducci

	Erik: submitted wd-21 going thru chgs

	p 45 sec 5.1 combining parameters
	5.14 combining params policy
	7.12 alg applies to rules not target
	7.13 same as above
	7.19.3 remove word and
	p 105
	p 119 quotes on type
	p 120 deleted a plural 's'
	p 121 added quotes around true
	p 122 added u to urn
	p 127 heading chg
	p 128 2 attr ids w new ones
	p 129 attr cats; multiple times
	p 130 3.0 datatype
	p 134 C.1 clarified text
	p 134 Node children, evaluate also obl, adv not determ
	paul: caught p-code bug length of; erik fixed as we go
		in 4 places, in wd-22
	p 136 word 'any'
	p 142 dup 's' removed

	jan: issue: string not equals has usability issues
	hal: easy to find things that match, not so easy to
	find things that don't match, w hash index
	erik: it's a trap to use ne in targets; only works
	under specific situations; need one and only
	jan: svc a,b,c,d,e in root policy say svc ne a, guarantee
	that descendant policy wont be finding it;
	erik: could access by other means, like host names;
	jan: if user has mult roles, then role ne;
	erik: if want to exclude role, stuff and foo will
	not work w target; stuff str ne true will match;
	erik: can't have conditions in policy,policyset
	paul: allof, anyof
	erik: only soln is to add condition to policy,policyset
	user can't find do for which he is the author
	paul: adding not element makes it indexable; blurs
	target and condition;
	hal: original motive not incl condition was to avoid
	processing overhead
	paul: why have targets
	erik: indexing policies
	erik: would prefer cond to more powerful target
	erik: target has builtin anyof
	paul: reevaluate scope of variable defns
	erik: obl at policyset level, can't have variable
	defns at policyset level;

	erik: versioning policies leads to difficulties; redundant
	with repository stores; easier to do refs w/o the version
	in xacml
	erik: usability issues for policy references; doesn't say
	you have to pick latest.

	hal: every policy, policyset must have unique identifier;
	only place we make use is policyset refs;
	erik: sec 5.10 end; version matchiing

	do we need a target if we have condition;
	jan: why does ver play role in poliicy eval?

	erik: ex enterprise container that might be versioned;
	hal: not fundamentally different;
	hal: federation of policy admin; having them come together
	at policy dist time;

	jan: can put select query to evaluate policy;

	erik: select ref in policy creates tight integration
	betwen policy and storage mechanism;

	hal: func behavior specifiable; does not want storage
	to impact;

	erik: nothing said about id: how to find policy?

	paul: seems to tie into friendly pollcyids
	hal: general rules against deleting, but that has issues

	hal: general discussion on futures; paul was web friendly
	policyids your issue?

	paul: issue is composition of policy sets w versioning
	need some kind of defn to resolve multiple refs.
	if you don't know where to start, you are lost;

	erik: even when xml catalog; can define what find is.
	always retrieving policy ref from web is too specific


	paul: how to manage federated policies; need to

	erik: file protocol;

	david: where policies ref'd from undefined; have to
	talk to somebody at runtime to get initial ref;

	jan: sql ref to db; different ways to ref policy

	john: need a minimum spec; can't leave to vendors

	paul: no company owns export laws

	hal: orgs have tax rule impls
	expects policy acquisition not to be general
	runtime feature; only do stuff on fly that specifi
	request

	hal: cohort: policies that are enforced at same time;

	david choy: use cases: building large scale component
	systems; policies won't look like xacml; at some point
	policies need to be


	hal: admin fcn: creates policies; puts them in some
	kind of master repository;
	out in the world are pdps;
	one func is to group policy and policysets;
	2nd is to group cohorts;

	need some kind of decision alg in pap to decide where
	the policies go, i.e. to which pdp;

	andy: is this preeval of some policies?

	hal: basically, yes;

	hal: people said what are specific policies?

	david: for example all policies that apply to
	specific appl that you send to mgr of that appl

	hal: cohorts are also like a policyset;

	jan: things you can put in policy reference dictate
	what mechanisms; file system, sql, xpointer, url;

	hal: there are some defns on wiki about policy distr;

	rich: there are several dimensions to the problem

	hal: issue of policy references (version was too much);

	jan: issue is that there is no defined mechanism
	for defining references;

	greg: stdize policy refs: get policyIdReference
	in policy query; in resp get back policyset.
	looking at saml prof of xacml;
	
	hal: issue 62 on:
	  http://wiki.oasis-open.org/xacml/IssuesList
	has defn of "cohort" as group of related policies

	david: from deploy perspective: need all the pieces
	if admin to support policy model directly, then
	is suitable for human user to administrate; if look
	at xacml model; highly expressive; question is if
	suitable for human to administrator;

	talking about the model, not the gui.

	hal: it will evolve starting from assembler to java
	metaphorically;
	assumptions: policies built from tools

	erik: there are xacml characteristics like combining
	algorithm that are direct concepts in xacml; not the
	xml concepts;

	david: looking of examples of people putting this
	to use;

	looking for more than authoring; it is dealing w
	security challenge and how to manage policies out
	there;

	ex. somebody created whole bunch of policies in db;
	want to change authority on certain resources: which
	policies do I update? do I create new ones?

	until this is defined, don't know how to do this.

	erik: day to day chgs happen to attrs; but not
	workflow or "official" policies;

	john: obj security; have seen demos where can take
	english lang stuff that puts out xacml;

	rich: policy dialects or design paradigms

	john: wanted to invite; andrea westerinen has done
	policy analysis; also lang from obj security
	they have different approaches to same problems	
	the more we know;

	hal/erik: agenda: let's drop json since david b not here;

	erik: logistics for social - anne may be interested
	hal: legal seafood;