[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes 7 January 2016 TC Meeting
Time: 2:30 PM EST (-0500 GMT) Tel: 1-712-775-7031 Access Code: 620-103-760 Minutes for 7 January 2016 TC Meeting I. Roll Call & Minutes Voting Members Richard Hill Steven Legg Rich Levinson Hal Lockhart Co-Chair Bill Parducci Co-Chair Remon Sinnema Martin Smith John Tolbert Mohammad Jafari Non-Voting Members John (Mike) Davis Quorum Achieved? YES 90% per Oasis site. II. Administrivia NIST publication on ABAC comparing XACML and NGAC Martin: Is there time to respond? Hal: I am not sure what the timelines are. Please take a look and post comments to the list for consideration. Bill: Public comment period is through January 15, 2016. III. Issues Martin: There has been a lot of discussion the list recently. I suggest that everyone who is interested take a few minutes to read through. One of the topics is whether or not this topic is within scope of the TC. There was also some discussion on pre-processing. Hal: I haven't seen anything on the list that is outside of the scope of the charter. Everything is within the realm of access control Hal: [reviewed his comments to list] I suggest that using semantic analysis it may be possible to define what is necessary to perform an evaluation of necessary resources. Martin: - Mike: The issue I was trying to raise is what do we man by a resource attribute? "Pre-coordinated" (part of the attribute that is fixed "mass"; "Post-coordinated" (cannot be determined until runtime). The latter is quite common in healthcare. Hal: Perhaps I don't understand the description, but XACML doesn't make these types of distinctions. I have seen an examples of indirection being problematic and is generally better handled w/o requiring pre-processing. This may not always be the case but typically aligns with general business practices. Mike: Example: A patient record may be marked with HIV+. This is a fact. Decisions are made upon whether or not the attribute is protected, not whether or not it exists. Many conditions affect whether or not this attribute may be used in a decision. Hal: Example a record is passed between OrgA to OrgB. Option 1 is to pass filtered data, with attribute redacted by OrgA. Option 2 is to pass all data over and OrgB's PDP makes a decision based upon the nature of the data via local policy logic. Mike: It can be either. Hal: This may require machinery outside of XACML. Mike: [Described internal access control decision making process] Martin: Is this analogous to the "Are you over 18?" vs. "What's your age?" evaluation? Hal: The closer analogy is "Are you of age" but, yes it is somewhat analogous to what Mike is talking about. Mike: This conversation is very intriguing and I would like to continue working through attributes. Martin: To accomplish Mike’s goal of ABAC interoperability across organizations we need a semantic model of attributes. Hal: What people typically do is force everyone around a common semantic. Mike, coming back to your point about attribute ubiquity, this is something the we punted on earlier in XACML Mike: Other groups have picked up on these topic (ANSI, HL7) Martin: This is what NIEM (the National Information Exchange Model) and NIEF (the National Identity Exchange Federation) have done to standardize semantics. A casual mapping between different terms for attributes is not likely to work for transactions that are highly sensitive. John: This may be handled via the introduction of key vocabulary and custom functions in a domain-specific Profile, where it may be easier to get agreement on a data model. Mike: I agree this has merit. Martin: Is this within the scope of XACML? If each business community defines various common concepts like name and location using different terms and syntax it gets messy quickly. So, I am hesitant to tackle this in a piecemeal fashion. Mike: A lot of this is in policy decisions and I think the VA would be interested in exploring standardization here. Hal: I am still not sure what the defintion of proposed work is. Martin: This is slightly different than where I began the discussion, but we seem to be focused on the consistency of attributes Hal: My experience in the real world is that people tend to represent attributes of common things in different ways. This applies to all attributes. Precise definition of an attribute needs to consider a variety of contexts. meeting adjourned.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]