OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes for 11 July 2013 TC Meeting

Time: 16:30 EDT (GMT-0400)
Tel: 513-241-0892
Access Code: 65998

Minutes for 11 July 2013 TC Meeting

I. Roll Call & Minutes

 Roll Call:

Axiomatics		David Brossard	Member
The Boeing Company	Crystal Hayes	Voting Member
The Boeing Company	Richard Hill	Voting Member
Veterans Health Admnstr	Mohammad Jafari	Voting Member
ViewDS			Steven Legg	Voting Member
Oracle			Rich Levinson	Secretary
Individual		Bill Parducci	Chair
EMC			Remon Sinnema	Voting Member
The Boeing Company	John Tolbert	Voting Member

   bill: we have quorum

 Approve Minutes:

  27 June 2013 TC Meeting

	no objections heard; minutes approved

II. Administrivia

  IDtrust Steering Committee annual Nominations and Election Process now open

	fyi only - passing along notification from Dee.

  Status EC-US Profile, IP Profile

    EC & IPC status: Crystal/Richard/John have collected the ancillary
     information for submission as standard.
    Bill is going through it in preparation of submission.
    The consensus is to hold actual submission until the REST Profile is
     in a similar state then submit all 3 at the same time to TC Admin.

  XACML MAP Authorization Profile:
    (result of the collaboration between the TCG TNC MAP working group
      and the OASIS XACML technical commitee)

    richard: tcg would like to have any comments on the XACML MAP profile
	(see above link) that tc members might have - before end of July
      richard will post updates to the profile next week, which will
       be the version of the doc that comments should be directed to,
       although people can look at existing version to get started as
       the updates expected to be modest.

   Req/Rsp intf based on JSON and HTTP for xacml 3.0 v1.0 
    Entity... Category... Attributes - JSON profile

    david: said that v13 uses "Category" instead of "Attributes":
      there has been some follow up discussion on both the full
       updating of the change in every reqd spot, plus rich added
       a last minute email on some additional considerations as
       to why another choice besides "Category" might still be
       desirable, but left the choice to David's discretion since
       the root of the issue is in core, and no point trying to
       "fix" things in the profile only:

      david has published wd-14:

      david: I move that the TC approve "Request/Response Interface based on
       JSON and HTTP for XACML 3.0 Version 1.0, Working Draft 14, 12 July 2013"
       and all associated artifacts packaged together in 
       as a Committee Specification Draft and designate  the .doc version of the
       specification as authoritative.
      crystal: seconds the motion

      bill: any objections? none heard. motion is approved.

    Approve a Committee Specification Draft for Public Review
     steven: moves that the TC approve the "Request/Response Interface based on
       JSON and HTTP for XACML 3.0 Version 1.0, Working Draft 14, 12 July 2013"
       after the committee spec draft version is published to the repository be
       made available for public review:
     rich: seconds
     bill:  any objections? none heard. motion is approved.

III. Issues

     dynamic policy w request: how to do it?
	mohammad: use case of dynamic policy w request and
	 what is response: was not able to find in 3.0 spec:

	steven: it is in saml profile; should have been in core
	 but in saml.

     use cases for "relationship-based" access control:

	mohammad: use cases for relationship access ctl: attrs of
	 attrs: might have rdf transform into profile

  ->	rich: thinks it can be done by existing means: will send
	 email ref'ing the notion: attr in one attrs collection
	 can ref another attr in another collection.

    conference on cloud identity

      david: attending conf; has heard comments to effect that
        xacml is losing relevance

      rich: has heard these comments before, but has found little
        substance to back it up, and, in fact, considers the
	reasoning that reaches that conclusion to have a flawed
        understanding of what xacml is;

        at very minimum, people should realize that xml is only
	 one way to represent xacml; json can also be used;
         but the larger point is that the essential xacml
         functionality that is being represented is a dynamic
         authorization engine, which is required by enterprises
         and other organizations irrespective of the particular
	 formatting of requests and policles.

	rich also ref'd xacml demo w oauth as part of openaz project:
	 the javadoc shows a logical deployment of a xacml pdp
          (using sunxacml) as an authorization engine that supports
          the full oauth process, along w sample policies for each
          stage of the process all residing in single pdp.

   meeting adjourned: 17:00 EDT

  Carried Over

   OAuth Scope expressed in XACML

   Distribution of obligations across multiple handlers:

   Generalizing on-permit-apply-second

   Errata: XPathCategory

Thanks, Rich

Rich Levinson | Internet Standards Security Architect
Mobile: +1 978 5055017
Oracle Identity Management
45 Network Drive | Burlington, Massachusetts 01803

            Oracle Oracle is committed to developing practices and products that help protect the environment

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]