|Rich.Levinson||Nov 4, 2010 7:12 pm|
|Subject:||[xacml] Minutes from 4 November 2010 TC Meeting:|
|Date:||Nov 4, 2010 7:12:34 pm|
Time: 13:00 EDT Tel: 513-241-0892 Access Code: 65998
Minutes from 4 November 2010 XACML TC Meeting:
13:00 - 13:05 Roll Call & Approve Minutes:
Voting Members Paul Tyson Bell Helicopter Textron Inc. Bill Parducci Individual Naomaru Itoi NextLabs, Inc. Rich Levinson Oracle Corporation Hal Lockhart Oracle Corporation John Tolbert The Boeing Company David Staggs Veterans Health Administration
Members Franz-Stefan Preiss IBM
Guest Greg Nevens IBM
Did not achieve quorum at the start of the meeting. Some additional members joined later.
Approve Minutes: 21 October 2010 TC Meeting http://lists.oasis-open.org/archives/xacml/201010/msg00011.html
Deferred to next meeting
Administrivia New Oasis TC Proceedings and Definitions (15 Oct 2010) (same as last meeting: left in place for visibility, reference) http://www.oasis-open.org/committees/process-2010-07-28.php
XACML v3 Status (unchanged) 1 attestation received to date
Issues (carried over from last meeting) HL7 examples There has been a request for clarification with HL7 documents and examples: http://lists.oasis-open.org/archives/xacml/201010/msg00004.html
-> [Action] David to propose a specific change and we will discuss if it can be handled as errata.
PIP directive proposal: "Telling the PIP where to pull from" David Chadwick has raised the concept of additional processing associated with PDP <-> PIP interaction: http://lists.oasis-open.org/archives/xacml/201010/msg00005.html additional discussion: paul: http://lists.oasis-open.org/archives/xacml/201010/msg00006.html david: http://lists.oasis-open.org/archives/xacml/201010/msg00007.html david: http://lists.oasis-open.org/archives/xacml/201010/msg00009.html rich: http://lists.oasis-open.org/archives/xacml/201010/msg00013.html david: http://lists.oasis-open.org/archives/xacml/201010/msg00015.html
Discussion put off until next meeting because David sent regrets that he could not be present today.
Guest Presentation (continued) This presentation will have discussion continued from last meeting.
The pres slides have been uploaded to XACML TC Repository here: http://www.oasis-open.org/committees/document.php?document_id=39960
Primelife Project (same background para as last mtg) Greg Neven of IBM Research, Zurich will be presenting on overview of the Primelife Project with proposals of how XACML and SAML may be able to address various requirements associated with this work. A presentation from the W3C-sponsored Workshop on Access Control that Greg gave may be found here for background reference, a paper entitled:
"Credential-Based Access Control Extensions to XACML" http://www.w3.org/2009/policy-ws/papers/Neven.pdf
Discussion points from last meeting copied from minutes to here for reference: today's discussion notes are below:
********* last meeting: "Discussion: Paul noted that there have been some ontological discussions on Attributes that may be applicable to this solution. Mike Davis voiced interest in exploring this direction as well.
H17 noted that they developing simple hierarchical ontologies using OWL to the healthcare space.
Tony raised a question on how anonymized Predicates may be assigned to a Subject without compromising anonymity.
David Chadwick offered that a solution he is working with relies upon a localized PIP to address credential validation. Greg noted that this is for Attribute values only and not Predicates.
Paul suggested that the proposed insertion of Conditions into a SAML assertion is a concern because they are not the these are not the same logical data types."
********* follow-up emails since last meeting: "Attribute Assertions in XACML request" paul: http://lists.oasis-open.org/archives/xacml/201010/msg00012.html greg: http://lists.oasis-open.org/archives/xacml/201011/msg00001.html
today's mtg: Hal's notes on Primelife discussion: Greg: responded to Hal's question posted by email. Condition expression would be used to request assertion asserting value of condition. Also used in Assertion to indicate what is being asserted. Might or might not be used in policy depending on which proposal is chosen.
Paul: commented on the ability to ontologies and reasoning engines to implement these capabilities.
Greg: clarified some of the issue raised by Hal and others by reference to slides 11 & 14 in the presentation.
Rich: outlined an approach to the policy portion of the problem using a scheme which was a variation of the simple solution presented by Greg and building on the OpenAZ work.
Hal: asked how the SAML "assertion of a condition" scheme would work with anonymous credentials. Greg said that a credential could be constructed from which various partial information could be extracted, in effect using different signature values. The client would hold a credential constructed by the IDP originally. The client would be able to construct values to assert different expressions from it. It would not be able to do all possible XACML conditions, but many useful ones.
It was agreed to continue discussions on the list.
Rich's notes on PrimeLife discussion at today's meeting: Hal: could have PIP evaluate condition: and return boolean as attribute value. greg: slide 14: 2 possible conditions? how to evaluate w external conditions? slide 12: certified condition? hal: property of resource vs property "certified condition" a saml assertion certifies a condition to be true (or false); condition specified in policy; has missing condition what is condition going to be asked for; if can teach idp that attr "A" ... franz-stephan: what about classes? paul: can establish classes of any complexity, etc. defining class of people - can do that - bus rules are represented that way. rich: raised issues about where "policy" is actually defined - i.e. in xacml or outside ontological objs? concern is policy concepts leaking outside of xacml hal: need more info on crypto aspect of saml greg: condition over attrs: signature algorithm over the values of attributes provided. hal: wants to know the relation between policy and the evaluation of attrs: greg: user has credential, which is a condition over those attrs; certifying of condition will be done by customer. hal: will try to pull apart separable issues, plan to present to saml week after next: 16th.
note: hal suggested slide 7 is really the set of use cases to look at to get the concept of the expression thing being asked for.
next call nov 18 meeting adjourned 2PM ET
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php