Time: 16:30 EDT (GMT-0400) Tel: 513-241-0892 Access Code: 65998 Minutes for 11 July 2013 TC Meeting I. Roll Call & Minutes Roll Call: Axiomatics David Brossard Member The Boeing Company Crystal Hayes Voting Member The Boeing Company Richard Hill Voting Member Veterans Health Admnstr Mohammad Jafari Voting Member ViewDS Steven Legg Voting Member Oracle Rich Levinson Secretary Individual Bill Parducci Chair EMC Remon Sinnema Voting Member The Boeing Company John Tolbert Voting Member bill: we have quorum Approve Minutes: 27 June 2013 TC Meeting https://lists.oasis-open.org/archives/xacml/201306/msg00052.html no objections heard; minutes approved II. Administrivia IDtrust Steering Committee annual Nominations and Election Process now open https://lists.oasis-open.org/archives/xacml/201307/msg00002.html fyi only - passing along notification from Dee. Status EC-US Profile, IP Profile EC & IPC status: Crystal/Richard/John have collected the ancillary information for submission as standard. Bill is going through it in preparation of submission. The consensus is to hold actual submission until the REST Profile is in a similar state then submit all 3 at the same time to TC Admin. XACML MAP Authorization Profile: (result of the collaboration between the TCG TNC MAP working group and the OASIS XACML technical commitee) https://www.oasis-open.org/committees/document.php?document_id=49017&wg_abbrev=xacml richard: tcg would like to have any comments on the XACML MAP profile (see above link) that tc members might have - before end of July richard will post updates to the profile next week, which will be the version of the doc that comments should be directed to, although people can look at existing version to get started as the updates expected to be modest. Req/Rsp intf based on JSON and HTTP for xacml 3.0 v1.0 Entity... Category... Attributes - JSON profile https://lists.oasis-open.org/archives/xacml/201307/msg00000.html david: said that v13 uses "Category" instead of "Attributes": there has been some follow up discussion on both the full updating of the change in every reqd spot, plus rich added a last minute email on some additional considerations as to why another choice besides "Category" might still be desirable, but left the choice to David's discretion since the root of the issue is in core, and no point trying to "fix" things in the profile only: https://lists.oasis-open.org/archives/xacml/201307/msg00007.html david has published wd-14: https://lists.oasis-open.org/archives/xacml/201307/msg00009.html david: I move that the TC approve "Request/Response Interface based on JSON and HTTP for XACML 3.0 Version 1.0, Working Draft 14, 12 July 2013" and all associated artifacts packaged together in https://www.oasis-open.org/apps/org/workgroup/xacml/document.php?document_id=49946 as a Committee Specification Draft and designate the .doc version of the specification as authoritative. crystal: seconds the motion bill: any objections? none heard. motion is approved. Approve a Committee Specification Draft for Public Review steven: moves that the TC approve the "Request/Response Interface based on JSON and HTTP for XACML 3.0 Version 1.0, Working Draft 14, 12 July 2013" after the committee spec draft version is published to the repository be made available for public review: rich: seconds bill: any objections? none heard. motion is approved. III. Issues dynamic policy w request: how to do it? mohammad: use case of dynamic policy w request and what is response: was not able to find in 3.0 spec: steven: it is in saml profile; should have been in core but in saml. use cases for "relationship-based" access control: mohammad: use cases for relationship access ctl: attrs of attrs: might have rdf transform into profile -> rich: thinks it can be done by existing means: will send email ref'ing the notion: attr in one attrs collection can ref another attr in another collection. conference on cloud identity david: attending conf; has heard comments to effect that xacml is losing relevance rich: has heard these comments before, but has found little substance to back it up, and, in fact, considers the reasoning that reaches that conclusion to have a flawed understanding of what xacml is; at very minimum, people should realize that xml is only one way to represent xacml; json can also be used; but the larger point is that the essential xacml functionality that is being represented is a dynamic authorization engine, which is required by enterprises and other organizations irrespective of the particular formatting of requests and policles. rich also ref'd xacml demo w oauth as part of openaz project: http://openaz.svn.sourceforge.net/viewvc/openaz/trunk/openaz/test/doc/test/OAuthSimulator.html the javadoc shows a logical deployment of a xacml pdp (using sunxacml) as an authorization engine that supports the full oauth process, along w sample policies for each stage of the process all residing in single pdp. meeting adjourned: 17:00 EDT Carried Over OAuth Scope expressed in XACML Distribution of obligations across multiple handlers: Generalizing on-permit-apply-second Errata: XPathCategory
--
Thanks, Rich
Thanks, Rich
Rich Levinson | Internet Standards Security
Architect
Mobile: +1 978 5055017
Oracle Identity Management
45 Network Drive | Burlington, Massachusetts 01803
Oracle is committed to developing practices
and products that help protect the environment