OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes 19 February 2015 TC meeting - DRAFT

Time: 2:30 PM EST (-0500 GMT)
Tel: 513-241-0892

Access Code: 65998

Minutes for 19 February 2015 TC Meeting

I. Roll Call & Minutes

  Roll Call:
  Voting Members
   Crystal Hayes
   Richard Hill
   Steven Legg
   Rich Levinson
   Hal Lockhart Co-Chair
   Bill Parducci Co-Chair
   Remon Sinnema
   John Tolbert

   Scott Robertson, Kaiser Permanente

  Voting Members: 6 of 10 (60%)
  Bill: We have quorum

 Approve Minutes 5 February 2015:
   APPROVED unanimously

II. Administrivia
  Call for Agenda Change
    I have a couple issues I would like to discuss today about potential 

  Next Steps
    We have a number of docs that are at Committee Specification level now. The
    next step is to begin collecting Statements of Use. Does anyone need help
    with vergbiage?
    That would be helpful.
    I will post some draft wording and post it to the list. Hopefully we will
    get the rolling in the next month or so.
    There are a number of Profiles that still require some work to get to the
    next level; everyone is encouraged to take back up those that are of 

  Attribute Boundaries
    Some of are presenting at EIC re: Oasis standards such as XACML. Given the
    multi-national nature of the EU Would it be possible for us to create a
    possible to create a Profile that would not require attributes across
    borders. Perhaps send a Subject and Policy.
    This is a good idea. I ahve seen it be done, e;g; in cases where you want to
    see the export control status of something without the clearance to see the
    The Admin Profile in conjunction with SAML 3.0 can address this. It was not
    a primary Use Case, but it could be used for this purpose. This may be a    
    very unique case in that only 1 party has access to the attributes, but the 
    Policy is accessible to both.
    Using the Admin Profile is an interesting idea. I will explore that.
    It may be possible with a modest number of Policies to infer data on the
   "hidden" side, leading to an exploit.

  Time Limited Decisions
    What are the TC's thoughts on a response that is time limited? 
    There are abilities to define access by time, but there is no mechanism in
    XACML for a duration per se. The SAML 2.0 wrapper may be used to handle
    attribute manipulation however.
    John, is human driven web usage the Use Case you are thinking of here?
    Basically, yes.
    XACML is typically more general than this.
    Could this be handled with an Obligation?
    Yes, but it's specificity makes it generally non-standard.
    I am curious as to the best way to address the reiterative nature of a human
    driven website where reauth/Z is specified with a time constraint attribute. 
    This seems like what John is trying to address.
   John: Yes, that is a Use Case for this.
    This is a common situation that can be highly contextual based upon company,
    etc. If we can figure out a way to address it would be interesting to
    I will explore the existing Profiles and am happy to receive input from
    anyone who has seen implementations, attempted to solve this.

  New TC
    I have been working with a number of people on the adoption of US Federal 
    Identity Credentialing and Access Management (FICAM). We are considering
    setting up a TC that would work on interoperablity of FICAM implementations.
    I think will have a lot of cross-pollination with XACML and SAML.
    I am sure there will be interest/feedback once this begins to materialize.

meeting adjourned.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]