OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes for 10 December 2015 TC Meeting

Time: 2:30 PM EST (-0500 GMT)
Tel: 1-712-775-7031
Access Code: 620-103-760

Minutes for 10 December 2015 TC Meeting

 next mtg jan 7, 2016

I. Roll Call & Minutes

  Roll call:

Richard Hill
Steven Legg
Rich Levinson
Hal Lockhart	Co-Chair
Bill Parducci	Co-Chair
Martin Smith

   2:36: we have quorum

  hal: today last mtg of 2015;
   next call 1st thu in jan = jan 7, 2016

  Approve Minutes 12 November 2015 - updated

   hal: any objections to accepting the minutes?
    none heard
    minutes approved

II. Administrivia 

  NIST/NCCOE draft question: XACML artifact
   martin (originator):
   hal (covered @ last mtg):
   hal: proposal for +1's:
   martin: revised draft comment:
   ray: +1:
   bill: +1:
   hal: +1:
   hal: comment on comment sent to NIST:
  Comment on NIST SP 1800-3b from the OASIS XACML TC
   hal: To: abac-nccoe@nist.gov

  hal: we sent in comments; that's it for now.

III. Issues

  NIST releases a new publication on ABAC comparing XACML and NGAC
   public comment period runs from December 2, 2015 through January 15, 2016
   david: link to NIST ABAC/XACML/NGAC doc + issue w spec
   martin: question about section of spec:
   xacml-users: concerns about spec (ludwig resp to david above):

   hal: NIST has published doc comparing xacml and ngac;
    rich: found copy of features, arch, and spec on NIST site:

   hal: chapter on policies: diagrams and arrows
    comparison doc refs a policy language

   to elaborate on hal's point above, consider the following example from the doc:

   refs to stds: in order to effectively compare XACML and NGAC, it would
    be useful to have a clear picture of exactly what is being compared.

     The comparison doc says about XACML:
      line 469:
        "XACML defines a policy specification language ...
         The standard encompasses requests, policies, attributes, and functions ..."
      line 859:
        "Requests are issued from, and PDP decisions are returned to, a PEP
          using a standardized request and response language."

     The comparison doc says about NGAC:
       line 894:
         "NGAC is defined in terms of
           a standardized and generic set of relations and functions
           that are reusable in the _expression_ and enforcement of policies."

     However, for example in
      lines 1465->1532, there is a xacml policy representing users w clearances
       having access to documents w classifications (note policies 3,4 seem
       to have the reverse effect of what one might expect),

     whereas this xacml policy is then supposed to be compared with a graphical
      representation on line 1540, which appears to represent both the
      xacml policy and an unspecified ngac policy of some syntax that the
      graphical elements could presumably be parsed into (they could also
      be parsed into the example xacml policy syntax).

     Finally, the section seems to extend the policy using ngac obligations to cover
      a higher level "process", which appears to apply to ensure that 2 requests
      within the same session do not violate a separation of duty constraint,
      which requires state to be maintained between requests, which is outside
      the defined scope of the xacml pdp policy language, but inherent in the
      capabilities of xacml obligations which are returned to the PEP, which
      one could arguably say would be a more logical place to maintain and
      operate on this retained state, similar to a shopping cart paradigm.

     As a result of the mixing of representations, as the above example shows,
      members of the xacml community have indicated some difficulty while
      trying to evaluate the comparisons contained in the document.

  additional discussion:

   martin: john had some comments he wanted to make on this spec

   martin: will add some recent developments w tagging documents to the wiki

  Common Practices for Binding Resources
   martin (originator):
   david (covered @ last mtg): 
   mike davis:

   hal: any other items to discuss? none heard
   hal: next mtg: jan 7, 2016

     mtg adjourned: 2:50 PM EST

Thanks, Rich

Rich Levinson | Internet Standards Security Architect
Mobile: +1 978 5055017
Oracle Identity Management
45 Network Drive | Burlington, Massachusetts 01803

            Oracle Oracle is committed to developing practices and products that help protect the environment

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]