Minutes 7 January 2016 TC Meeting

[William Parducci <bill@parducci.net>]

Time: 2:30 PM EST (-0500 GMT)
Tel: 1-712-775-7031
Access Code: 620-103-760

Minutes for 7 January 2016 TC Meeting

I. Roll Call & Minutes
  Voting Members
   Richard Hill
   Steven Legg
   Rich Levinson
   Hal Lockhart Co-Chair
   Bill Parducci Co-Chair
   Remon Sinnema
   Martin Smith
   John Tolbert
   Mohammad Jafari

  Non-Voting Members
   John (Mike) Davis

 Quorum Achieved? YES 90% per Oasis site.

II. Administrivia 
  NIST publication on ABAC comparing XACML and NGAC
   Martin:
    Is there time to respond?
   Hal:
    I am not sure what the timelines are. Please take a look and post comments
    to the list for consideration.
   Bill:
    Public comment period is through January 15, 2016.

III. Issues
  Martin:
   There has been a lot of discussion the list recently. I suggest that everyone
   who is interested take a few minutes to read through. One of the topics is
   whether or not this topic is within scope of the TC. There was also some
   discussion on pre-processing. 
  Hal:
    I haven't seen anything on the list that is outside of the scope of the
   charter. Everything is within the realm of access control
  Hal:
   [reviewed his comments to list] I suggest that using semantic analysis it may
    be possible to define what is necessary to perform an evaluation of
    necessary resources.
  Martin:
    - 
  Mike:
   The issue I was trying to raise is what do we man by a resource attribute?
   "Pre-coordinated" (part of the attribute that is fixed "mass"; 
   "Post-coordinated" (cannot be determined until runtime). The latter is quite
   common in healthcare.
  Hal:
   Perhaps I don't understand the description, but XACML doesn't make these 
   types of distinctions. I have seen an examples of indirection being
   problematic and is generally better handled w/o requiring pre-processing.
   This may not always be the case but typically aligns with general business
   practices. 
  Mike:
   Example: A patient record may be marked with HIV+. This is a fact. Decisions
   are made upon whether or not the attribute is protected, not whether or not
   it exists. Many conditions affect whether or not this attribute may be used
   in a decision.
  Hal:
   Example a record is passed between OrgA to OrgB. Option 1 is to pass filtered
   data, with attribute redacted by OrgA. Option 2 is to pass all data over and
   OrgB's PDP makes a decision based upon the nature of the data via local
   policy logic.
  Mike:
   It can be either.
  Hal:
   This may require machinery outside of XACML.
  Mike:
   [Described internal access control decision making process]
  Martin:
   Is this analogous to the "Are you over 18?" vs. "What's your age?"
   evaluation?
  Hal:
   The closer analogy is "Are you of age" but, yes it is somewhat analogous to
   what Mike is talking about.
  Mike:
   This conversation is very intriguing and I would like to continue working  
   through attributes.
  Martin:
   To accomplish Mike’s goal of ABAC interoperability across organizations we
   need a semantic model of attributes.
  Hal:
   What people typically do is force everyone around a common semantic. Mike,
   coming back to your point about attribute ubiquity, this is something the we
   punted on earlier in XACML
  Mike:
   Other groups have picked up on these topic (ANSI, HL7)
  Martin:
   This is what NIEM (the National Information Exchange Model) and NIEF (the
   National Identity Exchange Federation) have done to standardize semantics. A
   casual mapping between different terms for attributes is not likely to work
   for transactions that are highly sensitive.
  John:
   This may be handled via the introduction of key vocabulary and custom
   functions in a domain-specific Profile, where it may be easier to get
   agreement on a data model.
  Mike:
   I agree this has merit.
  Martin:
   Is this within the scope of XACML? If each business community defines various
   common concepts like name and location using different terms and syntax it
   gets messy quickly. So, I am hesitant to tackle this in a piecemeal

   fashion.
  Mike:
   A lot of this is in policy decisions and I think the VA would be interested
   in exploring standardization here.
  Hal:
   I am still not sure what the defintion of proposed work is.
  Martin:
   This is slightly different than where I began the discussion, but we seem to
   be focused on the consistency of attributes
  Hal:
   My experience in the real world is that people tend to represent attributes
   of common things in different ways. This applies to all attributes. Precise
   definition of an attribute needs to consider a variety of contexts.

meeting adjourned.