OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xspa message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Draft meeting minutes July 29, 2015

Minutes for 29 July 2015 TC meeting.

Started at: 11:05 am EDT

**Attendance:
Duane DeCouteau (Voting Members)
Mike Davis (Voting Members)
Mohammad Jafari (Chair)
Paul Rabinovich (Member)
Tony Mallia (non-member, VHA)

Quorum was reached ( 3 out of 3 (%100) of voting members)
 
1. Approval of the minutes from the previous meeting (21 October 2014):
https://lists.oasis-open.org/archives/xspa/201410/msg00002.html

Unanimously approved.

2. Discussion of the latest updates to the working draft (WD08) 
https://www.oasis-open.org/apps/org/workgroup/xspa/download.php/54321/saml-xspa-v2.0-wd08

a) Adding new attributes for Integrity, Compartment, and Purpose.
b) Adding a note in the introduction about the consequences of this profile for recording the principal's attributes in audit.
 
Mohammad presented an overview of the new updates.

Mike: Is it not sufficient to have one composite attribute for clearance and leave it to HL7 HCS to define its details?
Mohammad: The SAML TC recommended against defining composite attributes due to interoperability issues.

Mike: Purpose of Use is an attribute of the environment because it defines the context of an action.
Duane: But in a transaction, we can consider the purpose of the transaction to be the purpose of the Action.
Mohammad: Conceptually I think purpose is an attribute of an action but it's a matter of convention. We chose in our earlier meetings to harmonize with XACML privacy profile which defines purpose as an attribute of action.
Tony: What happened to XSPA 1.0 purpose of use which was an attribute of Subject?
Mohammad: We have listed that in the table of attributes planned for deprecation.
Mike: It is not desirable to change the name "purpose of use" to "purpose" since it is a well-known term in healthcare.

Mohammad: Do we need an additional attribute for Purpose as clearance? It encodes the set of purposes a principal is allowed to claim. As opposed to the purpose of the current transaction.
Tony: It is decided by the provisioning. But it shouldn't affect the PDP decisions. The policy decision must be based on the purpose of use for this transaction, not what the principal is allowed to claim. For example if the purpose of 'billing' is not allowed for this transaction it shouldn't matter that the principal also has the clearance for 'treatment.'
Mohammad: This attribute is only supposed to report the clearance and does not imply any policy decision.
Tony: It seems none of the current use cases need this attribute.
Duane: Technically, one can make decision on this basis.

Since we reached the end of the meeting Mohammad will match this with the HL7 HCS standard and the TC will discuss this further in the next meeting.
 
Adjourned at: 11:58 am EDT


Regards,
Mohammad Jafari, Ph.D.
Chair, OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) Technical Committee

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]