|Subject:||[xacml] milan f2f minutes|
|From:||Simon Godik (sim...@godik.com)|
|Date:||May 6, 2002 3:04:16 am|
Raw minutes I took in Milan. Simon
Monday, apr 22
Carlisle Adams Don Flynn Ann Anderson Polar Humen Michiharu Kudo Simon Godik Bill Parducci Pierangela Samarati Gerald Brose -- Xtradyne -observer
C: Vote to approve minutes of apr 18 approved.
Attributes in domain specific profiles.
Don Flinn: Problem communicating attributes between companies Spelling could be different, semantics could be different.
Security models: flat versus hierarchial groups.
How we communicate between entities?
Push model: Attribute namespace could define specific attributes. If 2 entities understand the namespace they can map one to the other.
Xacml would recommend to define standard namespaces and attribute sets. Xacml would have namespace registration procedure.
P: How would you identify a namespace? D: Organization could peak a keyword. Ann: Why oasis needs to keep a registry? D: Convinience. 2nd complexity: will store uri's, 3rd: this format you should follow. D: Another approach: cnt redirected to attribute translation service. It's another way to do it, but it does not solve a problem Ann: XACML may want to define a set of attribute names to refering to elements in azn decision query.
Ann: Which entity is the owner of an attribute? Don: Last thing: security models. For security models we define map between them. EJB has flat namespace for roles. We may define how to translate.
day2, apr 23
Ernesto: Let's shorten doc but mention areas on which conformance should be done Polar: Break down by conformance level. For saml profile you should follow certain steps. Carl: goal here is bring a topic for discussion. Polar and Ken will take charge of this. Polar: Should it be a separate document? Could be put in the last chapter. Usually conformance doc is very short. Ann: If you've got several committees it's good to have several docs. When we done we fold all docs. Polar: Does oasis have conformance process? Carslisle: They have conf tech committee. They offer help in conformance process.
Interface with saml.
Carlisle: Interface with saml. Suggestion was made that we should not tie to saml at all. We can define xacml assertion and specify saml profile. That would allow other domains to be more comfortable with xacml. Ann: One view is that saml is the thing everybody maps to. And everybody maps to saml. Bill: To have saml spelled out in our schema limits our appeal to a broad audience. We need to be compliant with saml, but better have a level of abstraction above that. Ernesto: We were established as an addition to saml. Our role was to use saml assertions and be comfortable that saml will become accepted. Technically these two approaches are not different. Polar: Experience at the omg shows problems with linking specs. Michiharu: I do not have special objections to saml use (req-resp) I would like to propose xacml context as abstraction layer to xacml I do not have specific shema that is mandatory to use. I want to explain my idea later. Don: We need saml to pass credentials between systems. Ernseto: saml namespace will specify specific version of saml. I do not see a problem. Carlisle: If we were to define our own format will be different? Polar: no. Michiharu: I do not assume any specific xacml assertion schema. My proposal is to add transforms element that transforms any kind of saml request into assertion neutral xacml context. If you write such transforms it is easy to map between saml requests to xacml context. Ambiguity between saml request and xacml context does not exist. We can avoid versioning problem. Ernesto: For saml we can have empty xslt stylesheet. Ann: In xacml it makes more sence to group assertions by the holder of assertion. Then it's more direct to refer to particular assertion. Ernesto: That's rearangement of the tree structure. Why do not we define a structure for our assertions. Extension to this stylesheet could map further assertion versions. Ernesto: general concall will ratify proposal.
Security and privacy considerations. Ann: privacy at the pep is different from privacy at the pdp etc. Polar: all we want to do is to bring up some concerns such as giving back more information with the response. Pep can filter this kind of information. Polar: policy integrity: it's important. Ernesto: xml has this facilities already, such as dsig or element encryption. We can check with w3c to see if these reqs could be satisfied.
Issue: Integrity and authenticity of a policy are out of scope. Voted: !!!!! --> accepted.
xacml context proposal. (Michiharu) Michiharu: This just an idea how to use xslt in the policy. Polar: If you do put it in the policy statement, they may each have a different transform, then different transforms should be run every time. Also, transform depends on the input request. Michiharu: I want to start for xacml context. It is not affected by saml syntax. Carlisle: What about response? Ernesto: There will be cases when you go from saml to saml. Ann: Are there 2 formats: saml and xacml context? Ann: Transforming saml request once may be no costlier than evaluating complicated expressions over saml assertions. Michiharu: It depends on implementation. Ernesto: We are going to define our own context. We can take saml schema for now, but context definition is a part of a spec. It calls for a vote. Carlisle: We can take votes assuming we have quorum. Bill: I suggest writing it down and voting on a proposal. Carlisle: we can arrange context in such a way that reference are simplier. Bill: we have to revisit our charter.
IBM IP. Michiharu: I can tell you about the contents of the patent. This patent submitted in Japan is access control system for provisional actions. Access request comes from the left (110), the box(10) is policy evaluation module and box (20) is policy enforcement module. This module is focused on obligations or provisional action. This module can have a set of enforcement plugin modules such as logging, encryption, etc. For example, request comes in and policy evaluation module determines if access is allowed or denied. If it contains obligations (113) then they are sent to enforcement module. If those external conditions are not satisfied the access denied is sent back to the requestor. Ernesto: We can ask for a letter from ibm similar to ebxml. There are also issues on 'content guard' patients. Carlisle: in the context of 'content guard' they would not be able to make any determination before they have final spec.