Time: 2:30 PM EST (-0500 GMT) Tel: 1-712-775-7031 Access Code: 620-103-760 Minutes for 10 December 2015 TC Meeting next mtg jan 7, 2016 I. Roll Call & Minutes Roll call: Richard Hill Steven Legg Rich Levinson Hal Lockhart Co-Chair Bill Parducci Co-Chair Martin Smith 2:36: we have quorum hal: today last mtg of 2015; next call 1st thu in jan = jan 7, 2016 Approve Minutes 12 November 2015 - updated https://lists.oasis-open.org/archives/xacml/201512/msg00006.html hal: any objections to accepting the minutes? none heard minutes approved II. Administrivia NIST/NCCOE draft question: XACML artifact martin (originator): https://lists.oasis-open.org/archives/xacml/201511/msg00002.html hal (covered @ last mtg): https://lists.oasis-open.org/archives/xacml/201511/msg00007.html martin: https://lists.oasis-open.org/archives/xacml/201511/msg00017.html hal: proposal for +1's: https://lists.oasis-open.org/archives/xacml/201511/msg00018.html martin: revised draft comment: https://lists.oasis-open.org/archives/xacml/201511/msg00021.html ray: +1: https://lists.oasis-open.org/archives/xacml/201511/msg00022.html bill: +1: https://lists.oasis-open.org/archives/xacml/201511/msg00023.html hal: +1: https://lists.oasis-open.org/archives/xacml/201511/msg00024.html hal: comment on comment sent to NIST: Comment on NIST SP 1800-3b from the OASIS XACML TC hal: To: abac-nccoe@nist.gov https://lists.oasis-open.org/archives/xacml/201512/msg00001.html hal: we sent in comments; that's it for now. III. Issues NEW ISSUES: NIST releases a new publication on ABAC comparing XACML and NGAC public comment period runs from December 2, 2015 through January 15, 2016 https://lists.oasis-open.org/archives/xacml/201512/msg00003.html david: link to NIST ABAC/XACML/NGAC doc + issue w spec https://lists.oasis-open.org/archives/xacml/201512/msg00004.html martin: question about section of spec: https://lists.oasis-open.org/archives/xacml/201512/msg00005.html xacml-users: concerns about spec (ludwig resp to david above): https://lists.oasis-open.org/archives/xacml-users/201512/msg00004.html hal: NIST has published doc comparing xacml and ngac; rich: found copy of features, arch, and spec on NIST site: hal: chapter on policies: diagrams and arrows comparison doc refs a policy language sidebar: to elaborate on hal's point above, consider the following example from the doc: refs to stds: in order to effectively compare XACML and NGAC, it would be useful to have a clear picture of exactly what is being compared. The comparison doc says about XACML: line 469: "XACML defines a policy specification language ... The standard encompasses requests, policies, attributes, and functions ..." line 859: "Requests are issued from, and PDP decisions are returned to, a PEP using a standardized request and response language." The comparison doc says about NGAC: line 894: "NGAC is defined in terms of a standardized and generic set of relations and functions that are reusable in the _expression_ and enforcement of policies." However, for example in lines 1465->1532, there is a xacml policy representing users w clearances having access to documents w classifications (note policies 3,4 seem to have the reverse effect of what one might expect), whereas this xacml policy is then supposed to be compared with a graphical representation on line 1540, which appears to represent both the xacml policy and an unspecified ngac policy of some syntax that the graphical elements could presumably be parsed into (they could also be parsed into the example xacml policy syntax). Finally, the section seems to extend the policy using ngac obligations to cover a higher level "process", which appears to apply to ensure that 2 requests within the same session do not violate a separation of duty constraint, which requires state to be maintained between requests, which is outside the defined scope of the xacml pdp policy language, but inherent in the capabilities of xacml obligations which are returned to the PEP, which one could arguably say would be a more logical place to maintain and operate on this retained state, similar to a shopping cart paradigm. As a result of the mixing of representations, as the above example shows, members of the xacml community have indicated some difficulty while trying to evaluate the comparisons contained in the document. end-sidebar additional discussion: martin: john had some comments he wanted to make on this spec martin: will add some recent developments w tagging documents to the wiki EXISTING ISSUES: Common Practices for Binding Resources martin (originator): https://lists.oasis-open.org/archives/xacml/201511/msg00003.html david (covered @ last mtg): https://lists.oasis-open.org/archives/xacml/201511/msg00004.html mike davis: https://lists.oasis-open.org/archives/xacml/201511/msg00015.html david: https://lists.oasis-open.org/archives/xacml/201511/msg00016.html hal: any other items to discuss? none heard hal: next mtg: jan 7, 2016 mtg adjourned: 2:50 PM EST
--
Thanks, Rich
Thanks, Rich
Rich Levinson | Internet Standards Security
Architect
Mobile: +1 978 5055017
Oracle Identity Management
45 Network Drive | Burlington, Massachusetts 01803
Oracle is committed to developing practices
and products that help protect the environment