|Ken Yagen||Nov 15, 2001 8:48 am|
|Subject:||[xacml] XACML November 15, 2001 Minutes|
|From:||Ken Yagen (kya...@crosslogix.com)|
|Date:||Nov 15, 2001 8:48:55 am|
Title: XACML Conference Call
XACML Conference Call
Date: Thursday, November 15, 2001
Time: 10:00 AM EST
Tel: 512-225-3050 Access Code: 65998
Minutes of Meeting
We briefly discussed the policy subcommittee work description to see if there were any questions for Pierangela. Then Pierangela reported on the progress of the PM subcommittee. Progress has been made on characterizing principal and resource. Decision was made to have specific and sufficient conditions rather than negative authorizations and Pierangela described these (will follow up by posting to the list more information). It was also mentioned that Simon had proposed semantics to define types of actions allowed on a resource and this is being discussed. Another issue is whether to use Xpath to extract information from SAML assertions - specifically if the operators defined in it are sufficient and necessary for what XACML needs. Next the Face to Face was discussed and Jan 23-24 or 24-25 was tentatively agreed to. Bill and Ken are looking for a location to hold it in California. The last topic was to decide how we will interpret the Oasis requirement of 3 members using the specification. Some agreement was made and Carlisle and Bill summarized it. Carlisle will follow up with a submission to the list that we can vote on at the next call.
1. Need an Intellectual Property Chair (outstanding from 11/1) 2. Carlisle to email Ken request from Simon Blackwell to rejoin TC 3. Pierangela to post paper to list that describes the notion of sufficient versus specific conditions. 4. Pencil in two days in January 23^rd - 25^th. Ken and Bill will look for a location in Bay area and near Anaheim/LA respectively. 5. Michiharu to post schedule from 11/1 call to the website 6. Carlisle to write up formal statement of what we will define as successfully using the specification for the submission requirement to OASIS and post to the list so we can vote on it at the next concall.
Issue List Candidates
1. Pierangela mentioned something discussed in PM group that may not coincide with glossary concerning pre and post conditions. 2. Should we support negative authorizations or Pierangela's proposal of specific/sufficient conditions (PM subc seems to have decided on no neg authz) 3. Simon's proposal for semantics on type of actions allowed for a resource 4. Use of Xpath for identifying SAML constructs and the use of Xpath operators 5. XACML definition of OASIS requirement to successfully use the specification
Minutes from 11/1 meeting accepted
Raw Minutes (taken by Ken Yagen)
10:00-10:10 Roll Call and Agenda Review
10:10-10:15 Vote to accept minutes of November 1 meeting
10:15-10:20 Administrative Items (e-mail voting; non-TC member access to
10:20-10:25 Discussion of Policy Model work description
10:25-10:35 Report of Policy Model Sub-Committee
10:35-10:40 Report of other sub-committees (conformance, IP, security &
10:40-10:50 Discussion of next Face-to-Face (U.S. West coast, sometime
10:50-11:00 Discussion of proposed Schedule and Milestones (in particular,
draft spec by Dec. 1)
Ken Yagen, Crosslogix
Hal Lockhart, Entegrity
Fred Moses, Self
Carlisle Adams, Entrust
Jason Rouault, HP
Michiharu Kudoh, IBM
Bill Parducci, Self
Suresh Damodaran, Sterling Commerce
Pierangela Samarati, University of Milan
James MacLean, Affinitex
Ernesto Damiani, University of Milan
10:09 Administrative Issues
Carlisle brought up that Karl Best questioned if we allow email voting and access to mailing list by non-tc members. Both were voted on at previous meetings and are allowed and are posted on the website under membership.
10:12 Motion to accept minutes of meeting of 11/1 voted and accepted
10:12 Discussion of Policy Model work description
Charter was accepted at last call but Carlisle asked if any questions would like to raise for Pierangela
Carlisle - question about 3 layers of language - are they separate work items or specs
Pierangela - Allows you to work separately on different phases but all part of the same work item
10:15 Report on 11/12 PM Call
Pierangela - Discussion of semantics and syntax of language, formats of the rules. Completed characterization of principal expression. Should also be done with format of resource, Went on to discuss action expression and condition. 2-3 changes to glossary - notion of pre and post conditions. Rule has different parts: principal, resource, action, conditions to satisfy, and post-conditions. Pos and neg authorization. Agreed to take a look at this. Instead, 2 kinds of rules. One with specific conditions for access granted and another with sufficient conditions. Specific must be granted or else it will be denied.
Asked for written example on list - Pierangela will post paper with pointer to part
Hal - also defined an AND and OR.
Pierangela - won't have to put AND condition for a required condition in every rule (ie and committee member,...) Less complex to manage than with negative authorization rule.
Hal - this seems to interact with a number of other things, including conflict resolution step. Would like to look at whole thing.
Ernesto - Was proposal by Simon to introduce semantics about type of action allowed on a resource type. We said we will look into standards and decide if want to define something. Check whether given action is relevant to a given source.
Hal - private name spaces maybe to define this. More an issue of policy creation time
Ernesto - Small issue - agreed XPath technique to extract info from SAML assertions, but standard form last expressive power like in operator to verify given assertion in any of node paths. Ernesto said would look into extension of XPath used in XQuery.
Carlisle - did look at the document for xpath/xquery and it is much richer than what we need for XACML. Don't know if more valuable to profile it and define what we need or define our own operators.
Ernesto - value of XPath standard, is you require future iterations to use XPATH that is already defined. Otherwise, implementation may be more work.
Carlisle - agree with using it to locate assertions, but question pulling operators from it.
10:33 Other subcommittees
Conformance - Tim
IP Security, Privacy - Joe
Both not present on call but don't think anything done
10:34 Next F2F
Not enough people committed to justify a meeting
Current plan is to schedule for early next year - January.
Offer from U Milan to host at any time. Propose January on the West Coast.
Ken - can look what is available in bay area.
Carlisle - what weeks are bad?
Ernesto - earlier the better but not first week
RSA in February (18-22). OMG is Jan 28 in Anaheim
Michiharu - before 1/21 cannot attend but after, can
Pencil in 23^rd - 25^th
Bill will look into LA.
Most 15 people
Ken - maybe another meeting at RSA conference 2/18-2/22. More important to get everyone at January meeting
Draft standard slated for December 1.
Ernesto - probably a bit optimistic
Hal - once circulated some other dates via email. 2/14 Draft proposed at last call and in the minutes
Ernesto - that sounds reasonable
Michiharu to pull from 11/1 minutes and post to website.
Other issues to discuss
Ernesto - reference implementations required mentioned by Bill
Hal - 3 members certify they are successfully using the specification. NO requirements for interoperability. We decide what successfully using means.
Carlisle - what would committee like that to mean. Interoperability or produce spec.
Fred - talked about reference implementation.
Hal - GA product is probably unrealistic. Would like syntactic interoperability. Party B can consume what is produced by party A.
Fred - how much of an environment required?
Ken - what about saml?
Hal - we would propose extensions to saml. Those would have to be tested in saml context
Ken - look for saml assertions - xpath - discussed
Ernesto - reference implementation would be sample pdp or pep that can evaluate and enforce. You are discussing interoperability
Hal - suspicion reference implementation will be limited by available labor.
Suresh - someone mentioned policy might be sent with saml. Will it be visible outside firewall?
Carlisle - one use case where policy travels with health record to another site. It general case could happen
Hal - drm problem as well. Nothing in xacml to prohibit it.
Carlisle - tim had in mind policy and set of inputs and different pdps could parse and come up with same answer.
Hal - more concerned with enforcement part. Doesn't speak to generating policy
Ken - recreate policy that was consumed
Hal - issues with evaluating if equivalent form.
Bill - valuable to create policy that others can read properly
Carlisle - definition is handed policy and relevant inputs and can come up with decision others could also come up with. Some or all of inputs are saml syntax and outputs are also saml assertion
Bill - what about generating policy that others can digest
Carlisle yes, would have to have that.
Ken - write up and formal agreement.
Carlisle will send out email with this and we can vote at the next teleconference
Visible links 1. http://lists.oasis-open.org/archives/xacml/200111/msg00003.html