[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Minutes for 7 February 2013 TC Meeting - updated
Hi David, On 15/05/2013 3:18 AM, David Brossard wrote:
It makes sense. I gather you have no objections to removing the unnecessary nesting?
I agree with Danny, and I have no objections to the change. Regards, Steven
On Tue, May 14, 2013 at 7:06 PM, Danny Thorpe <Danny.Thorpe@software.dell.com
<mailto:Danny.Thorpe@software.dell.com>> wrote:
I’d suggest “XPathVersion” over “RequestDefaults” as the reduction. RequestDefaults is a container and
could contain other stuff besides XPath down the road.____
__ __
-Danny____
__ __
*Danny Thorpe *____
Authorization Architect ____
*Dell*| Identity & Access Management, Quest Software____
__ __
Quest Software is now part of Dell.____
__ __
*From:*xacml@lists.oasis-open.org <mailto:xacml@lists.oasis-open.org> [mailto:xacml@lists.oasis-open.org
<mailto:xacml@lists.oasis-open.org>] *On Behalf Of *David Brossard
*Sent:* Tuesday, May 14, 2013 9:05 AM
*To:* Steven Legg
*Cc:* xacml
*Subject:* Re: [xacml] Minutes for 7 February 2013 TC Meeting - updated____
__ __
Also, along the lines of simplification, I'd be in favor of making the RequestDefaults simpler. Today
the JSON encoding mirrors the XACML encoding which contains 1 element nesting too many.____
__ __
In the JSON spec we currently have____
"Request": {____
"RequestDefaults":{____
”XPathVersion” : ”http://www.w3.org/TR/1999/REC-xpath-19991116”____
}}____
We could change to the following instead:____
"Request": {____
"RequestDefaults": ”http://www.w3.org/TR/1999/REC-xpath-19991116”____
}____
Or____
"Request": {____
”XPathVersion” : ”http://www.w3.org/TR/1999/REC-xpath-19991116”____
}____
__ __
Thoughts?____
__ __
On Tue, May 14, 2013 at 5:56 PM, David Brossard <david.brossard@axiomatics.com
<mailto:david.brossard@axiomatics.com>> wrote:____
I'll leave them out. They make no sense in the response. Thanks.____
__ __
On Tue, May 14, 2013 at 3:21 AM, Steven Legg <steven.legg@viewds.com <mailto:steven.legg@viewds.com>>
wrote:____
Hi David,____
On 11/05/2013 8:41 AM, David Brossard wrote:____
Hi Steven,
See my comments below:
On 6/02/2013 4:38 PM, Steven Legg wrote:
> Section 5.2.11: Version should be a string.
This is now fixed. Thanks.
The IdReference object needs a
> Value property to hold the URI of the referenced policy or policy set.
Yes, I noticed that when implementing the profile :-). I fixed it now.
An
> IdReference in an XACML response must have a Version and must not have a
> LatestVersion or EarliestVersion. For consistency with any future profile
> that defines a JSON representation for policies and policy sets, I suggest
> that you keep the properties as they are, but add a note that Version
> is required and EarliestVersion and LatestVersion must be absent in a
> response.
I don't see in the XACML 3.0 core spec where the EarliestVersion and LatestVersion must be absent.
On lines
1961 to 1964 I read that____
/EarliestVersion [Optional] /
/Specifies a matching expression for the earliest acceptable version of the policy set referenced. /
/LatestVersion [Optional] /
/Specifies a matching expression for the latest acceptable version of the policy set referenced./____
It also says it is part of the PolicySetIdReference and PolicyIdReference.____
/____
/
Later in the spec, I do see that in the response, the following rule applies:____
/The identifier and version of a policy which was applicable to the request. See section 5.11. The____
<PolicyIdReference> element MUST use the Version attribute to specify the version and MUST NOT use
the____
LatestVersion or EarliestVersion attributes./
Does it mean that the attributes /LatestVersion /and /EarliestVersion /must not be included
altogether?____
That is how I've interpreted it. They aren't needed at all in the JSON encoding
of a response, so we could leave them out, but if we later create a JSON encoding
for policies, then we would need to put them back in, or have two JSON objects
with the same name but different members, or use a different name for references
in a Policy. Take your pick which strategy is going to be the least confusing.
Regards,
Steven
> It____
would make sense.
Thanks,
David.
Regards,
Steven
On Fri, Feb 8, 2013 at 12:41 AM, rich levinson <rich.levinson@oracle.com
<mailto:rich.levinson@oracle.com>____
<mailto:rich.levinson@oracle.com <mailto:rich.levinson@oracle.com>>
<mailto:rich.levinson@oracle. <mailto:rich.levinson@oracle.>__com <mailto:rich.levinson@oracle.com
<mailto:rich.levinson@oracle.com>>>>____
wrote:
Minutes for 7 February 2013 TC Meeting - updated
(added link below to ref material on the NIST site
that describes the Policy Machine in more detail)
Time: 15:00 ET (GMT-0500)
Tel: 513-241-0892
Access Code: 65998
I. Roll Call
Voting Members:
Richard Hill The Boeing Company
Mohammad Jafari Veterans Health Administration
Steven Legg ViewDS
Rich Levinson Oracle
Hal Lockhart Oracle
Bill Parducci Individual
Erik Rissanen Axiomatics
John Tolbert The Boeing Company
Members:
Robert van Herk Connectis
Approve Minutes:
24 January 2013 TC Meeting____
https://lists.oasis-open.org/____archives/xacml/201301/____msg00030.html
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00030.html>____
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00030.html
<https://lists.oasis-open.org/archives/xacml/201301/msg00030.html>>
hal: minutes approved, no obj
II. Adminstrivia
Conformance Tests v3.0____
https://lists.oasis-open.org/____archives/xacml/201301/____msg00025.html
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00025.html>____
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00025.html
<https://lists.oasis-open.org/archives/xacml/201301/msg00025.html>>
john: email contains a chart for conformance compliance; looking
for vendors to fill out the yes/no's as to whether support
is available for the features represented as list of the
xml elements in the xacml core spec plus a list of the combining
algorithms in the core spec.
XACML REST Profile WD-07 uploaded, request for Vote____
https://lists.oasis-open.org/____archives/xacml/201301/____msg00028.html
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00028.html>
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00028.html
<https://lists.oasis-open.org/archives/xacml/201301/msg00028.html>>
https://lists.oasis-open.org/____archives/xacml/201302/____msg00006.html
<https://lists.oasis-open.org/__archives/xacml/201302/__msg00006.html>____
<https://lists.oasis-open.org/__archives/xacml/201302/__msg00006.html
<https://lists.oasis-open.org/archives/xacml/201302/msg00006.html>>
15 day public review
john moves
richard h seconds
no obj to unanimous
XACML XSPA Profile WD-01 request for Vote____
https://www.oasis-open.org/____apps/org/workgroup/xacml/____download.php/47685/Proposed%____20draft%20for%20XSPA-XACML%____20Obligations%20Profile%____20Draft_0.1.doc
<https://www.oasis-open.org/____apps/org/workgroup/xacml/____download.php/47685/Proposed%25____20draft%20for%20XSPA-XACML%25____20Obligations%20Profile%25____20Draft_0.1.doc>
<https://www.oasis-open.org/__apps/org/workgroup/xacml/__download.php/47685/Proposed%__20draft%20for%20XSPA-XACML%__20Obligations%20Profile%__20Draft_0.1.doc
<https://www.oasis-open.org/__apps/org/workgroup/xacml/__download.php/47685/Proposed%25__20draft%20for%20XSPA-XACML%25__20Obligations%20Profile%25__20Draft_0.1.doc>>____
<https://www.oasis-open.org/__apps/org/workgroup/xacml/__download.php/47685/Proposed%__20draft%20for%20XSPA-XACML%__20Obligations%20Profile%__20Draft_0.1.doc
<https://www.oasis-open.org/__apps/org/workgroup/xacml/__download.php/47685/Proposed%25__20draft%20for%20XSPA-XACML%25__20Obligations%20Profile%25__20Draft_0.1.doc>
<https://www.oasis-open.org/apps/org/workgroup/xacml/download.php/47685/Proposed%20draft%20for%20XSPA-XACML%20Obligations%20Profile%20Draft_0.1.doc>>
hal: is it 2.0 or 3.0
mohammad: will require schema support for 3.0, so 2.0 at present
hal: some other issues on front page
mohammad: will look at these issues;
hal: vote deferred until new draft or issues closed; hal will email comments
XACML v3.0 Published____
https://lists.oasis-open.org/____archives/xacml/201301/____msg00036.html
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00036.html>____
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00036.html
<https://lists.oasis-open.org/archives/xacml/201301/msg00036.html>>
hal: official notification that 3.0 is now published OASIS Standard (OS)
the email has URLs for obtaining the specs;
hal: will contact abbie barbir for itut
XACML Combining Algorithm Profile WD-03 status update:
30 day Public Review has begun____
https://lists.oasis-open.org/____archives/xacml/201301/____msg00031.html
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00031.html>____
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00031.html
<https://lists.oasis-open.org/archives/xacml/201301/msg00031.html>>
hal: both EC-US and IPC are in 15d pub rev;
comments? none so far
XACML EC-US status update:
15 day Public Review____
https://lists.oasis-open.org/____archives/xacml/201302/____msg00001.html
<https://lists.oasis-open.org/__archives/xacml/201302/__msg00001.html>____
<https://lists.oasis-open.org/__archives/xacml/201302/__msg00001.html
<https://lists.oasis-open.org/archives/xacml/201302/msg00001.html>>
XACML IPC status update:
15 day Public Review____
https://lists.oasis-open.org/____archives/xacml/201302/____msg00002.html
<https://lists.oasis-open.org/__archives/xacml/201302/__msg00002.html>____
<https://lists.oasis-open.org/__archives/xacml/201302/__msg00002.html
<https://lists.oasis-open.org/archives/xacml/201302/msg00002.html>>
hal: Combining Algorithm Profile WD-03 is in 30d pub rev;
comments? none so far
XACML JSON Profile WD-11 uploaded____
https://lists.oasis-open.org/____archives/xacml/201302/____msg00009.html
<https://lists.oasis-open.org/__archives/xacml/201302/__msg00009.html>____
<https://lists.oasis-open.org/__archives/xacml/201302/__msg00009.html
<https://lists.oasis-open.org/archives/xacml/201302/msg00009.html>>
new wd for json profile; wd10->wd11 based on stephen input
erik attr assign in obl optional
hal: should look at:
Policy Machine reference
The Policy Machine - email ref from prateek mishra
hal: you have to "buy" specification; anyone know more?
no replies
rich: I just checked the site, and there are quite a few direct
refs to material (free) describing the PM:____
http://csrc.nist.gov/pm/____references-library.html
<http://csrc.nist.gov/pm/__references-library.html>____
<http://csrc.nist.gov/pm/__references-library.html
<http://csrc.nist.gov/pm/references-library.html>>
XACML RSA demo:
john: boeing ready for tagging part
stephen posted link
have been working w nextlabs
still not all people that are needed
hal: boeing, oracle, uds, nextlabs were only ones on this wk's call
only 2 more calls before interop - please send people to
call so info is rcvd
hal: oasis will make banner; kmip also put up a banner, company
logo's connected in box w chains around it. Last year we
showed components but not logos; open to suggestions to
give to oasis by next wed.
hal: slide deck from last yr needs some updates but should be usable;
respond to email
III. Issues
JSON Profile____
https://lists.oasis-open.org/____archives/xacml/201302/____msg00010.html
<https://lists.oasis-open.org/__archives/xacml/201302/__msg00010.html>____
<https://lists.oasis-open.org/__archives/xacml/201302/__msg00010.html
<https://lists.oasis-open.org/archives/xacml/201302/msg00010.html>>
stephen: has minor chgs plus one thing on id's but has not heard
from david yet
Attributes of Relations____
https://lists.oasis-open.org/____archives/xacml/201301/____msg00024.html
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00024.html>____
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00024.html
<https://lists.oasis-open.org/archives/xacml/201301/msg00024.html>>
hal: should we tackle these 2 issues
erik: think we are converging on something; perf concern about
large sets of tuples, stephen said could optimize by
processing subsets; concern that xacml might be translatable
to db searches;
stephen: what should extensions actually look like, mohammad came
up w sql-like approach; in condition implicitly selects, and
need diff syntax for joins;
mohammad: thinks a simple join will work
stephen: tuple sets soon has duplication within nested context;
because of that abandoned nested;
rich: wants to mention that sql not a good representation, should
be more like attr-val-entity;
stephen: agrees in general
mohammad: agrees but when tried to extend hier ran into issues and
thats when sql emerged.
rich: will try to elaborate in followup email
Policy Labeling____
https://lists.oasis-open.org/____archives/xacml/201301/____msg00022.html
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00022.html>____
<https://lists.oasis-open.org/__archives/xacml/201301/__msg00022.html
<https://lists.oasis-open.org/archives/xacml/201301/msg00022.html>>
stephen: still looking into alternatives to admin approach; practical
necessity to dup admin policies nearly everywhere there is issue
wrt unsafe policies being integrated w admin policies; reduction
graphs lead to some perf issues
erik: fwd chaining doesn't have same problem; top down recursive
could limit intermediate delegates;
also issue w np-complete;
stephen: hasn't found way to deal w malicious policy;
hal: in old days disc about detecting invalid policies;
hal: recollection of use cases; large ratio between general pop
vs admin people; maybe that helps;
rich: what is issue of ctl
stephen: sibling admin policy; writer of admin has to anticipate
places where delegates will be extending, and making
sure delegates have right authority; only sibling within
same policy set.
hal: as opposed to putting admins high in the tree;
stephen: but hi in tree can't authorize things lower in the tree;
stephen: one interesting use case is discretionary access ctl, such
as every owner of resource is authorized, so they can write
policies for their own resources;
hal: "can do, can del" was intended to address that; if you are allowed
to do it, you can delegate it as a policy; originally was in
admin profile but we moved it to core.
"can do, can del" is popular access model, implicitly mentioned
in sections 2.7, 2.9 of core spec.
Other business:
hal: next call in 2 weeks 21-Feb-2013
meeting/call adjourned: 3:51PM 7-Feb-2013
____
------------------------------____----------------------------__--__---------____
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.
Follow this
link to all your TCs in OASIS at:____
https://www.oasis-open.org/____apps/org/workgroup/portal/my_____workgroups.php
<https://www.oasis-open.org/__apps/org/workgroup/portal/my___workgroups.php>____
<https://www.oasis-open.org/__apps/org/workgroup/portal/my___workgroups.php
<https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php>>
--
David Brossard, M.Eng, SCEA, CSTP
Product Manager____
+46(0)760 25 85 75 <tel:%2B46%280%29760%2025%2085%2075> <tel:%2B46%280%29760%2025%2085%2075>____
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden____
http://www.linkedin.com/__companies/536082 <http://www.linkedin.com/companies/536082>____
http://www.axiomatics.com
http://twitter.com/axiomatics
--
David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75 <tel:%2B46%280%29760%2025%2085%2075>
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics____
__ __
____
__ __
--
David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75 <tel:%2B46%280%29760%2025%2085%2075>
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics ____
____
__ __
--
David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75 <tel:%2B46%280%29760%2025%2085%2075>
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics ____
--
David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]