Re: [xacml] Minutes of XACML TC mtg: 3-Jul-08

[Erik Rissanen <erik@axiomatics.com>]

All,

There is a small error in the minutes. I think we decided to adopt the 
proposals made on

  Security considerations for the access-permitted function
  http://lists.oasis-open.org/archives/xacml/200806/msg00044.html

and

  Issue 89, Adding a description element
  http://lists.oasis-open.org/archives/xacml/200806/msg00047.html

But the minutes do not state the decisions were made.

Best regards,
Erik

Rich.Levinson wrote:
> Minutes of XACML TC mtg: 3-Jul-08:
>
> Time: 10:00 am EDT
> Tel: 512-225-3050 Access Code: 65998
>
> Attendance:
>
> Voting Members
>
> Erik Rissanen      Axiomatics AB
> Anthony Nadalin     IBM
> Rich Levinson     Oracle Corporation
> Hal Lockhart     Oracle Corporation
> Anil Saldhana     Red Hat
> Seth Proctor     Sun Microsystems
> David Staggs     Veterans Health Administration
>
> Members
>
> Duane DeCouteau     Veterans Health Administration
>
> OASIS Staff
>
> Dee Schur         OASIS
>
>  Note:
>
>     Next call in 2 weeks Jul 19.     Hal will probably not be able to 
> chair.      Hopefully, Bill can handle.
>
> Agenda: ("Minutes" after each agenda item)
>
> 10:00 - 10:05 Roll Call & Minutes Approval
>   Vote on Minutes from 19 June TC Meeting
>   http://lists.oasis-open.org/archives/xacml/200806/msg00043.html
>
>     Minutes approved.
>
> 10:05 - 10:10 Administrivia
>
>   XACML Interop Update (London: Oct 2008)
>   http://lists.oasis-open.org/archives/xacml/200806/msg00038.html
>
>     Dee:  go to forum page: xacml listed Wed PM.
>     Cost is $500/participant company      (we get to be in main castle 
> room)
>     Need commitments
>       Erik in
>       Tony - depends, for now, we're
>       Anil (red hat) in
>       David (VA) not present
>       Rich - probably not in
>       Dee says Sampo is probably in
>
>     Duane will participate in mtgs and fill in details
>
>
>   SVN Status - Waiting for word from Jamie
>
>     Legal issues on source control, still waiting
>      for details
>     Std boiler plate - issue by Deviant people if they
>      can use pieces of schemas etc.
>
>   OGF document released for public comment: "Use of XACML 
> RequestContext..."    
> http://lists.oasis-open.org/archives/xacml/200806/msg00049.html
>
>     Robin Cover distributed - geo space people want to stdize
>      around req/rsp protocol
>
>   A dynamic revocation model for XACML
>   http://lists.oasis-open.org/archives/xacml/200807/msg00000.html
>
>     Attributes of delegate when issued policy, if interested
>      read paper - whether current admin can revoke policies
>      created by previous admin.
>     Relies on attributes saved and signatures and is "somewhat
>      heavy to implement"
>
> 10:10 - 11:00 Issues
>   Issues #71 and #76 (multi-categories)
>   http://lists.oasis-open.org/archives/xacml/200806/msg00041.html
>
>     Supporting multiple intermediaries, codebases. Hal now
>      agrees w Erik, don't want to add new functionality
>      for this.
>
>   WS-XACML Review
>   http://lists.oasis-open.org/archives/xacml/200806/msg00029.html
>
>     Hal: potentially a solution to reqt how do you know
>      what attr should be provided to PDP. Vocab could
>      be gleaned from policies, create an xml document
>      and say that is vocabulary, etc.
>
>     Erik: think it's fine, raises reasonable things, if there
>      is a demand from users should consider moving it forward.
>     
>     Hal: if going to req from pdp, what attr to provide.
>
>     Erik: also contains privacy policy, how enforced.
>
>     Hal: philosophy same as obligations
>
>     Erik: Anne sent ref to paper that describes protocol
>      setting to enforce - is concerned whether possible to
>      enforce at all.
>
>     Hal: privacy work was with some academic people, but can
>      also be used for other purposes than privacy. As much
>      as possible leveraging machinery that already exists
>      access to pdp engines that already contain parsing
>
>     Erik: xpath concern in there, WS-Policy dropped ignorable.
>      Anne had restriction on xpath that there would always
>      be unique - does not think it is sufficient, because can
>      use different namespaces to get around.
>
>     Hal: still hopeful Daniel can get back in.
>
>   Passing parameters to the attribute designator
>   http://lists.oasis-open.org/archives/xacml/200806/msg00042.html
>
>     From Anil Tappetla: Erik been considering, understands
>      need for parameters, but no sure policy is right place
>      for it. Any semantics? Need to provide a use case to
>      better understand the issue.
>     Hal: maybe part of vocabulary, what is syntax of attrs
>      that policy can be found and how do you find them.
>     Erik: without more info would be inclined to say no.
>
>   Security considerations for the access-permitted function
>   http://lists.oasis-open.org/archives/xacml/200806/msg00044.html
>
>     Erik: in general fcn may not terminate. Limit on depth
>      is a problem. Propose a limit either in std or impl
>      based in metadata.
>
>     Hal: this might be useful in metadata.
>
>     Hal: attacker could send poison policy to mess up system.
>
>   Issue 88, general xpath functions again
>   http://lists.oasis-open.org/archives/xacml/200806/msg00045.html
>
>     Either general library or specific subset. xpath contains
>      data types that do not fit xacml in any way.
>     Craig/Erik: propose we make up specific fcns and refer to
>      xpath and not plug into full xpath.
>     Hal: purpose is manipulating request context.
>     Erik: this is our identifier and the functions does same
>      thing as the xpath spec.
>     Erik: we defined general import, but not a good idea, then
>      imported subset and found problems there. Now suggesting
>      we just have identifiers that have limited interpretation
>      but are equivalent to selected xpath specifics
>
>   Issue 89, Adding a description element
>   http://lists.oasis-open.org/archives/xacml/200806/msg00047.html
>
>     Either add to expression type or to apply. If you add to
>      apply will be more generally pervasive.
>
>   A problem in the multiple resource profile
>   http://lists.oasis-open.org/archives/xacml/200806/msg00048.html
>
>     Erik: in the policy can specify xpath version. Mult res prof
>      req does not have similar identification of version.
>      Add an element for 3.0
>
>   The duration data types
>   http://lists.oasis-open.org/archives/xacml/200807/msg00001.html
>
>     Looks like oversight. However, if we add it then some of      fcns 
> there become redundant.
>     Hal: intro new ones and give warning redundant will be
>      removed in future. Sometimes convenient to keep around.
>     Erik: adding date/time and year/month not the same.
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in 
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php