MACE-paccman Call 2-Sep-2010

MACE-paccman Call 2-Sep-2010

*Attending*

Tom Dopirak, CMU (co-chair)
Keith Hazelton, U. Wisconsin (co-chair)
Rob Carter, Duke
Tom Barton, U. Chicago
Michael Gettes, Independent
Mark Scheible, NC State
Tom Zeller, U. Memphis
Renee Frost, Internet2
Steve Olshansky, Internet2

*New Action Items*

[AI] (Rob) will contact a caBIG participant about use cases, esp. related to federated access

[AI] (Rob) Rob will look at putting named anchors to the use cases

[AI] (Keith) will contact the prof behind HERAS, about whether he may have grad students interested in pursuing some of our use cases

[AI] (Keith) will send links to HERAS, SPOCP, ACamp policy engine group, ABFAB mailing list info and charter

[AI] (TomD) will provide docs on Oracle Entitlements Server (OES)

[AI] (TomD and Keith) will work on swimlane diagrams for use cases

[AI] (All) - suggest topics for Advance CAMP follow up track session at Fall Internet2 Member Meeting

*Carry Over Action Items*

[AI] (Keith) will create a business process model for selected MACE-paccman use cases.

[AI] (TomD) will contact appropriate individuals regarding perMIT source code.

[AI] (TomD) will rewrite his suggestion concerning categorization of use cases based on audit issues versus compliance requirements.

[AI] (Everyone) will give Rob feedback on his start on the “Use Case Tabulation” on the wiki:
https://spaces.internet2.edu/display/macepaccman/Use+Case+Tabulation

[AI] (Rob) will finish attaching numbers/identifiers to MACE-paccman use cases in preparation for promoting them (or pointers to them) from the wiki to the website.

[AI ] (Keith, Rob, Paul, and Albert) will move forward on mapping access management use cases to XACML.

DISCUSSION

*Modeling Use Cases*

Keith is selecting use cases on which to model business process and chart out XACML. He will make a pass through and look at proposed solutions.

It was suggested that the 6 use cases with Grouper, perMIT and Rice solutions could be a good set of use cases to focus on:
https://spaces.internet2.edu/display/macepaccman/Selected+Use+Cases

*XACML and SPML*

TomZ has been in touch with folks at UNC regarding SPML code. The plan is that the code will be released soon.

TomZ reported that the OASIS TC is looking for use cases to help refine SPML. TomZ is looking forward to the XACML representations of the paccman use cases to help move along the OASIS TC efforts.

TomZ noted that SPML supports different profiles to express passed info. The paccman use cases involving provisioning permissions might not be supported by the current version of the SPML spec, since it’s based on attribute values. It would be good to bring these issues to the forefront. Provisioning could be the best approach in some cases, a SAML expression to pass values could be the answer in other cases. TomZ commented that the XACML examples aren’t based on named string value pairs. Instead, XACML relies more on written language. It might be possible to embed strings. SPML supports search over SAML. Keith mentioned that for policy evaluations, there sometimes have to be attributes plugged into a natural language-like sentence.

It was agreed this is a good topic for a future discussion, when we understand better what SPML can do.

*Federated Use Cases Discussion*

TomB: Do we have use cases that highlight federated use cases?

Rob: Yes, 3 or 4 of the use casees are clearly federated. Also, we are hoping to get additional federated use cases from CAbig

TomB stated that U-Chicago has reached agreement with U- Wisc Madison to develop a knowledge-based service. Service may be provisioned in a new way. There could be provisioning of U. Chicago people to roles within the system developed at Madison.

TomB: How do we define a federated use case? Is it a use case in which the PDP ( Policy Decision Point) has to fetch attributes from a federation member.

Keith: A federated use case could mean that some of the subjects in the use case have an IdP distinct from the IdP of the service provider.

*perMIT Code*

There have been discussions with MIT about plans for the perMIT source code. MIT’s plan is to make the code available. This could take 3-6 months. Brown and CMU are have expressed interest in the code.

*Use Cases on the Wiki*

Rob has made good progress in categorizing use cases on the wiki :
https://spaces.internet2.edu/display/macepaccman/Use+Case+Tabulation

Rob hopes to put more use cases from the paccman use case library into this tabulation format. The goal is to create a reference library, so people can look at these as patterns for cases they may have. TomB suggested adding anchors for easy linking to the use casees. Rob agreed.

TomD is working on swim lane diagrams for some use casees at CMU. He and Keith will coordinate, since this could be helpful for the business process modeling.
[AI] (TomD and Keith) will work on swimlane diagrams for use cases

*Discussion of Policy Engines, HERAS, SPOCP, etc.*

[AI] (Keith) will send links to HERAS, SPOCP, ACamp policy engine group, ABFAB mailing list info and charter

Keith provided these links:

HERAS: http://www.herasaf.org/heras-af-xacml.html
HERASAF XACML Core -- The XACML Core component is responsible for evaluating XACML 2.0 access requests.

SPOCP: http://www.spocp.org/index.html
Note: Leif has stated that the web page needs some attention.
Some of the source is hosted at: http://devel.it.su.se/pub/jsp/polopoly.jsp?d=3778

Keith encouraged participation in the Advance CAMP Policy Engine WG:
https://spaces.internet2.edu/display/ACAMPActionItems/ACAMP2010+-AssessPolicyEnginesUsingPaccmanUseCases
The action item for this group is to "Assess Various Policy Engines using MACE-Paccman Benchmark Use Cases"

ABFAB (Application Bridging, Federated Authentication Beyond (the web))
Mailing list info: https://www.ietf.org/mailman/listinfo/abfab

It was suggested to find out if the professor behind HERAS would want one of his classes to work on a paccman use case.
[AI] (Keith) will contact the prof behind HERAS, about whether he may have grad students interested in pursuing some of our use cases

Michael raised the question of how much software is XACML enabled. There is some chicken and egg issue here. If there are no applications using XACML, would it still be useful as a way of keeping a useful repository of policy info? Keith will put that on the list for future discussion.

*XACML Request Response Protocol*

TomD reports that the XACML Request Response protocol contains an subject, action and a resource specifier. Response comes back yes or no. Chris noted there is the possibility to put various requests in one XACML request.

Links to info about XACML request response:
http://download.oracle.com/docs/cd/E12890_01/ales/docs32/installadmin/index.html
http://www.oracle.com/technetwork/middleware/oes/fov-entitlements-server-082362.html
http://www.oracle.com/technetwork/middleware/oes/overview/index.html

*Internet2 FMM*

The MACE-paccman WG at Internet2 FMM will be Monday Nov. 1 from 10:30 am to 11:45 am

There will be a review of what the paccman working group has done in the last 6 months and then some presentations. Ideas for presentations:
- swim lane diagrams
- SPML
- Rules Engines

There will also be a track session on interesting outcomes from Advance CAMP, called “Bleeding Edge of Identity Management.”
http://events.internet2.edu/2010/fall-mm/agenda.cfm?go=session&id=10001387&event=1159

Next Call: Thurs., Sept. 23, 2010, 1pm ET