08:18:21 RRSAgent has joined #acas 08:18:21 logging to http://www.w3.org/2009/11/18-acas-irc 08:18:32 rrsagent, please set log public 08:18:54 chair: Hal Lockhart 08:19:12 agenda: http://www.w3.org/2009/policy-ws/agenda.html 08:19:21 scribe: tlr 08:19:27 scribenick: tlr 08:19:28 Topic: Hal Lockhart, The State Of Access Control 2009 08:19:31 -> http://www.w3.org/2009/policy-ws/papers/Lockhart.pdf paper 08:20:19 mario has joined #ACAS 08:22:47 elenat has joined #ACAS 08:32:31 carrasco has joined #ACAS 08:48:45 DC: If you don't know where the attributes come form, you don't know whether you can trust them. 08:48:57 ... these statements come from "this party can issue this attribute" 08:49:15 HL: that information exists, it is outside of XACML 08:49:33 DC: you said the SecPAL approach wasn't feasible, and I'm disputing that. 08:49:42 DN: security and privacy of attributes -- is this about certifying attributes? 08:49:46 HL: CARML language 08:49:51 ... look at IGF project on openliberty 08:50:09 ... briefly, idea is instead of specifying on low level "go to this dir, take this attribute" lets you make higher level statements what attributes are used for 08:50:13 ... what properties are etc 08:50:52 RW: What kind of comments did you get for the privacy profile? 08:51:04 HL: That profile is extremely minimal -- just defines purpose attribute 08:51:09 ... developed in 2.0 time frame 08:51:17 ... looked at EPAL, and that looked like it was the only thing we needed to add 08:51:27 ... various references to core spec 08:51:40 PS: purpose is for access control, not privacy 08:51:53 ... restricting access based on purpose is access control, not privacy 08:52:02 RW: depends 08:52:16 TR: It is access control motivated by privacy 08:52:38 HL: healthcare scenarios 08:52:51 ... presentation yesterday was very similar to XSBA (?) demos 08:53:03 ... healthcare profile generated based on @character salad@ 08:53:32 ... dealing with things like emergency, etc etc 08:53:44 ... on purpose -- often people say "not sure what people do in the future" 08:53:57 ... but in the case of healthcare, often using specific systems 08:54:08 ... so turns out not to be an issue 08:54:12 PS: emergency -- different policy? 08:54:18 HL: yes, attribute "emergency has been declared" 08:54:23 ... more logging, less checking 08:54:43 GN: purpose is attached to resource as resource attribute -- for which purpose can the resource be accessed 08:54:47 ... shouldn't this be part of the policy? 08:55:08 HL: think the semantic is that it's the purpose for which the data is collected 08:55:14 ... the logic you're talking about is in the policy 08:55:35 GN: there's a purpose attribute associated with the resource, and one in the request; the one in the request needs to be in the list of purposes for the resource 08:56:22 HL: good comment 08:56:26 ... side remark: the work we do is public immediately 08:56:51 ... also, public comments 08:57:36 ... -dev list for developers 08:57:59 ... for XACML, separate list xacml-users which is supposed to be about issues related to design of policies 08:58:13 RW: interested in timing 08:58:19 HL: trying to close the box on 3.0 09:01:03 ... expect selective implementation of profiles instead of giant switch-over 09:01:29 ??: how difficult is it to get a profile accepted? 09:01:34 HL: except for timing -- easy 09:01:39 s/??/FSP 09:01:42 ... in particular when you actually work on it 09:02:00 ... "here's a document, I'm going to edit it" is a good way to get things done 09:03:04 RW: privacy attributes, privacy profile -- how to contribute? 09:04:03 HL: note only the core defines a schema -- administrative stuff uses new elements, those are defined in the core 09:04:12 GN: profiles only come out if new version? 09:04:17 HL: no, XSBA is on its own schedule 09:04:25 ... but some of these things have dependency 09:04:28 s/XSBA/XSPA/ 09:04:56 HL: if doesn't impact other things, can move through -- more confusion in marketplace, but deal with 09:05:06 FSP: what about profiles that just use extension points? 09:05:10 HL: no single statement 09:05:19 ... profiles have independent conformance points 09:05:26 ... most require conformance with core as a precondition 09:05:38 ... could use the definitions in export control with whole new policy language 09:05:44 ... no one definition -- profiles can extend, narrow, ... 09:06:24 PS: a bit more what you're looking at for multi and hierarchical 09:06:26 HL: the answer would be long 09:06:28 ... a lot of the comments and the changes proposed came from OGC work 09:06:30 ... in addition to doing geospatial stuff, OGC were the first to using XACML in web services environment, srsly 09:06:48 topic 09:06:50 s/topic// 09:07:11 topic: Bottom-Up approach for Compliance: The MASTER position (Emmanuel Pigout, Philip Miseldine, SAP Research) 09:07:18 -> http://www.w3.org/2009/policy-ws/papers/Pigout.pdf paper 09:07:28 -> http://www.w3.org/2009/policy-ws/slides/Pigout.pdf slides 09:08:23 rrsagent, draft minutes 09:08:23 I have made the request to generate http://www.w3.org/2009/11/18-acas-minutes.html tlr 09:08:32 rrsagent, make record public 09:08:56 Meeting: W3C Workshop on Access Control Application Scenarios 09:25:15 ME: what kind of standardization do you envision? 09:25:24 EP: looking at OASIS as appropriate body 09:25:37 ... not really an ontology; looking at OWL-S, WSMO 09:25:45 ... some work done at the WSDL level to add semantics 09:26:24 GN: what is it you want to standardize? 09:26:25 EP: would like to standardize evidence model 09:26:28 ... how you represent evidence 09:26:36 ??: using PSL formulas to express these 09:26:48 ... quantify what a particular service provides and do direct comparison? 09:26:53 ... or have standard shapes of formulas? 09:26:59 s/??/Nick/ 09:27:00 ... how do you benefit from using PSL form? 09:27:11 s/Nick/NP/ 09:27:29 EP: policy -> PSL through BPEL annotations 09:27:52 ... advantage of PSL is that in MASTER, at design time doing pi calculus, can do formal verification 09:28:14 ... able to verify 09:28:48 ... PSL can be translated 09:29:05 NP: Do you know work by Michael Gillieaux (sp?)? 09:29:19 EP: MASTER works together with TAS3 and PrimeLIfe 09:29:33 ... compliance -- glue between trust, privacy etc 09:29:49 Maike Gilliot 09:30:00 s/Michael Gillieaux/Maike Gilliot/ 09:30:23 EP: ultimate purpose is to show that business is under control 09:30:37 Topic: coffee 09:58:04 dsr has joined #acas 10:05:59 mib_rk6xfm has joined #ACAS 10:09:21 carrasco has joined #ACAS 10:10:06 Topic: Towards Standardization of Distributed Access Contro 10:10:18 s/Contro/Control 10:14:22 -> http://www.w3.org/2009/policy-ws/papers/Lischka.pdf paper 10:16:45 scribe: rigo 10:16:51 scribenick: rigo 10:23:08 you will lose obligations 10:23:42 ML: aggregation also supresses ?? 10:24:38 ... combination of various attributes, we don't do, we only do aggregation on one attribute, remains linear, check for circular refs 10:24:56 DC: if refer and refer, how would you know 10:25:04 ML: we do a dept search first 10:25:19 s/dept/depth 10:25:37 NP: do you compare on synatx or on something? 10:25:44 HL: just compare decisions 10:25:53 ML: and send them around PDPs 10:28:03 ME: model you're applying, is it true that root on top takes the decision for all the subnotes? 10:28:21 ML: basically yes, but we can also combine and decide on a lower level 10:28:47 HL: you're using the known policy evaluation mechanism 10:29:29 ....multiple PDP discussed a while ago, wasn't taken any further, standards people are reluctant to take complexity on where there is no clear need.. 10:29:54 ...I don't know how you approach distribution 10:30:05 ML: the PIP is querying 10:30:28 HL: don't want to specify distribution in the policy, you want to do that separately 10:30:50 ML: consider different users are querying, first operator is different for each user 10:30:57 ...that's why we made it dynamic 10:31:05 HL: doing runtime resolution 10:31:10 ML: yes 10:31:34 MK: ?? 10:31:50 ML: Secpal has no negative negations, 10:31:57 MK: datalog? 10:32:22 ML: we are purely based on XACML, negation solved by grant/deny 10:32:34 MK: what do you use for verification for privacy? 10:32:45 ML: as difficult as for the standard 10:32:45 (secpal has open world assumption) 10:34:30 Topic: Towards Modelling and Verifying Dynamic Access Control Policies for Web-based Collaborative Systems 10:34:37 rrsagent, pointer? 10:34:37 See http://www.w3.org/2009/11/18-acas-irc#T10-34-37 10:39:53 mario has joined #ACAS 10:48:22 HL: question is if you always end up with the concrete model or whether you get abstraction 10:48:46 MK: in many cases there are abstractions 10:49:16 ME: example policy, how can the formal system find out the weaknesses without knowing the security goals 10:49:29 MK: you should know the spec of your systems 10:50:27 ...many more complicated sytems. In more complex systems, you still are complex, but you can get some abstraction. At some point you can export from this to XACML 10:52:00 AM: it is possible to model XACML, problem is to find out how to prevent attack. if there is no relation between paper and eve. Now if charly comes on, if eve has already relation to paper p, deny. Can model this with XACML. 10:52:39 DC: issue, if you write a policy and you don't yet about the issue, you can't say 10:53:09 MK: there are other steps they don't know and the formal model helps to discover 10:53:21 ...may be only considered one way, there more 10:53:48 RA: finding ways for violation, so no policy specification 10:53:59 MK: can verify in the verification language 10:54:33 HL: properties: nobody can review their own paper... 10:54:44 ..state the properties you are stating 10:54:50 DC: if you haven 10:55:05 ..t tought about the attack, you won't get to it 10:55:44 HL: someone ran a model against our model, has that hole because of that property and I said, you just assume it has that property 10:55:57 NP: tool has own language? 10:56:00 MK: yes 10:56:19 ML: what is the key diff between datalog or secpal 10:56:47 MK: we don't use secpal or datalog, because doesn't work with our model 10:56:55 ML: advantage of X-Policy 10:57:52 MK: policy is expressive in web scenarios, in verification part, we check it with a model 10:58:05 ...cannot implement with standard model checkers 10:58:19 LB: what doesn't work with Secpal 10:58:49 MK: some tokens are permitted or denied, we change state dynamically, secpal is stateless 10:59:02 ML: you make evaluation at each request? 10:59:27 MK: each request changes the state of the system, looking for credential in different states 10:59:45 ML: requested subreviewing is a state? 11:00:17 LB: with Secpal you can specifiy duty, verification of properties is out of scope 11:00:40 DC: we have stateful PDP, records state. It is possible to build it 11:00:44 HL: does it scale 11:00:52 DC: well..... 11:01:06 HL: general problem with duties and large scale systems 11:04:41 Topic: discussion 11:04:42 ================================ 11:05:16 HL: standardization is not a goal in itself, if there 11:05:31 ...define extension in the schema but profile the implementation 11:06:19 ...bottom up place, charter constraint is on access control, as long as it is consistent with work 11:06:51 ....I have concerns about attributes, that's where people are blocked, instead of all people around solving only for themselves 11:07:12 ....so much done in the past, we should explore that 11:07:51 ....specs are built with extension points, so that company, some industry branches can use them 11:08:28 ....how many people do implement? Only if it is sufficiently broad, should go to TC, but we are not gatekeepers 11:08:46 ...OGC is done in OGC is good example 11:09:26 TCB: different policy languages for spec.. All of these languages 11:10:26 DC: this is where I want XACML to losen up. Wire Protocol is key. allows you to do many things. One standard request response context, we can merge many of that 11:10:55 HL: yesterday provision of dynamic policies, generalization would be easy 11:11:06 DC: extension would be policy-type 11:11:13 ...just element-any as a choice 11:11:32 HL: imagine people could agree on that as it is such low impact 11:11:47 ...so many customers don't do schema-checking, too much cost 11:12:01 ...if you could make that suggestion to comment list 11:13:08 AM: wire prot. good, in OGC, when you pass in auth decision request, it contains many position descriptions, big number of points. You're blowing up the request 11:13:52 ...people were asking to put this in policy instead and instruct PDP to go get the data over there 11:14:29 HL: don't get confused with packaging/implementation and model. Any implementation will have the possibility to go fetching, but it is not efficient 11:14:59 ...I have lots of environments that need high performance, so remote PDP wouldn't work 11:15:21 ...so just come into TC and push for your solution 11:15:47 ...things happen because there are champions 11:17:23 ...for 3.0 you can have policies about policies. creating dynamic policies, evaluated only in the context of that request 11:17:48 ...when we define the schema, has to be XACML policy, DC wants any policy 11:18:02 AM: want where the attribute can be fetched 11:18:25 mari1 has joined #ACAS 11:18:25 HL: question is where you want to attach it, outside the policy 11:18:57 AM: outside the PDP, only selctor and designator, if in the request context we would have URI 11:19:04 ...PDP would go and get.. 11:19:44 HL: if selector and fetch group attribute, in discover that you need to get that from elsewhere, than go get it, but not in the policy 11:20:01 AM: how to fetch is in the request context 11:20:17 DC: PIP lift context. We have a paper on it. 11:20:29 HL: References instead of values 11:21:11 RW: this is what the SW is about 11:21:29 AM: different context 11:21:44 HL: URI is a supported data type 11:21:54 AM: you have to define what it means 11:22:10 DC: environment attribute, then pass on URI 11:22:36 AM: you need to know what it is, so you have to specify in the request 11:22:47 ...has 3.0 covered everything? 11:23:08 DC: we coverd in a way that it is conformant, but there is no standard way of doing 11:23:15 ...done that in OGF 11:23:54 ...GFD 157 GFD 159 as specifications from OGF 11:24:37 HL: most common argument I hear that XACML is too complicated, now I hear not complex enough? 11:25:21 RW: fetch attributes 11:25:31 AM: put references where to fetch 11:25:48 HL: whether you sent request or information in the request 11:26:26 AM: mobile client, mobile client needs to get context, that would explode mobile device, 11:26:55 ...ref would allow you to discover that you're still in same request context, could be localhost 11:27:23 AM: attribute ref, URI, than PDP does it 11:27:42 HL: server has PDP and PIP and PIP is fetching 11:27:57 TCB: localhost as default and other info in that place 11:29:50 RW: how to connect SW 11:30:13 HL: PDP type information 11:30:20 s/localhost as default and other info in that place/the URI should not be localhost/ 11:30:45 ML: only thing you want to have is a comparison thing 11:30:53 Something taking into account http://www.w3.org/DesignIssues/LinkedData.html 11:31:05 ...otherwise you only want to have a name attribute value pair 11:31:39 HL: function go over to this guy who understands... hasn't been explored so far 11:32:07 ...XACML doesn't know anything about it, it's about strings as long as 11:32:24 Elena: XML doesn't allow to express relationships 11:32:42 ...if the subject would be expressed in RDF, the relations could also be protected 11:33:59 DSR: relationship is just a resource 11:34:10 HL: could treat as resource, you have actions on it 11:34:57 GN: Relation in a social network is different from RDF relations 11:35:17 HL: you can model that as actions on resources, change persitent state on resources 11:35:30 ============================= 11:35:35 rrsagent, make minutes 11:35:35 I have made the request to generate http://www.w3.org/2009/11/18-acas-minutes.html dsr 11:36:00 mario has joined #ACAS 11:36:19 s/Elena/Anna/ 12:13:12 renato has joined #acas 12:33:57 tlr has joined #acas 13:18:53 scribe: carine 13:18:59 scribenick: caribou 13:19:33 Topic: Extending XACML for Open Web-based Scenarios, Pierangela Samarati 13:19:47 -> http://www.w3.org/2009/policy-ws/papers/Samarati.pdf paper 13:22:25 mario has joined #ACAS 13:22:55 carrasco has joined #ACAS 13:24:32 RW: is propagation of AC part of your scope? 13:24:49 DC: OAuth? 13:25:11 PS: we will discuss this 13:32:19 mib_l3n81s has joined #ACAS 13:45:18 Perhaps it would be better for the policy to separate the condition e.g. age > 18 from the accepted means to prove that 13:45:43 Photos http://sn.im/xacml 13:49:14 this would allow the user agent to determine which means would minimize disclosure of personal data 13:49:37 PS: fancy negotiation doesn't work, need user interaction and reasoning and abstractions 13:50:22 HL: your 4 goals are independent from each other? 13:51:28 PS: abstractions and recursive reasoning are very much related to each other 13:51:55 RW: if you use ontologies you can use SPARQL for reasoning 13:52:38 PS: it's time to have a way to communicate the policy to the user 13:53:02 RW: there's a // activity at MIT called PAW (Policy-Aware Web) 13:54:47 PS: either you request the client to present everything, or you ask only if you don't find something 13:55:35 PS: closed-world assumption is if you don't have my age you deny access 13:55:46 ... you should have to way to ask 13:56:20 DC: just present a bunch of referrals instead of attributes 13:56:32 ... you have to trust the system not to pick too much 13:56:48 PS: a user proxy, e.g. wallet full of certificates? 13:57:13 DC: no, just present available referral 13:57:39 s/referral/referrals 13:58:11 PS: then you need to tell a proxy all the referrals, and associated policies 13:58:56 DC: all my attributes are asserted by 3rd parties 13:59:14 ... I only give the list of third parties you can get the attributes from 13:59:48 PS: I should not even be disclosing that I have attributes 14:00:08 DSR: the user wants to know why the service is asking the information 14:00:37 ... if I give a list of what I could provide, it's much more than needed 14:01:20 GN: reasons for not storing at the server 14:01:28 ... you have to go back to the user 14:01:40 DC: pull-model is an alternative 14:02:06 PS: but the issue here is support for the server not to reveal everything to the user 14:02:11 ...need dialog for this 14:04:08 DC: in the pull-model, the conditions are not revealed to the user 14:04:24 [debate over privacy of the user vs. privacy of the server] 14:05:01 Topic: Obligation standardization, David Chadwick 14:05:11 -> http://www.w3.org/2009/policy-ws/papers/Chadwick.pdf paper 14:09:46 DC: [describing what's missing in XACML] 14:20:08 -> http://www.w3.org/2009/policy-ws/slides/Chadwick.pdf slides 14:22:02 HL: I would like to see a list of obligations 14:24:52 HL: the PDP does not agree, it's just doing predefined processing 14:25:21 ... we don't have a model for the subject in the AC model 14:26:07 ML: the PDP is not doing semantic specific things 14:26:14 ... just checking 14:27:21 ML: 5 types of relations between obligations = unrelated, conflict, contradiction, inclusion, subordinated 14:28:39 RW: sorry for repeating. in P3P, caching, ordered statements 14:29:00 ... even if it was simple to read, the ordered thing confused people 14:29:49 ML: in the policy itself you have relations? 14:30:24 ... obligations are ordered in execution order? 14:30:34 RW: it does not have obligations 14:31:45 ML: we specify relations because we can't specify order 14:32:13 ... but we can easily describe the relations (thx to a unique ID) 14:38:03 [HL showing a slide "obligation families"] 14:38:59 RW: work on obligations in PRIMCluster 14:39:17 ... Feed that to the XACML TC 14:39:47 HL: XACML TC has a history of submitted material 14:40:17 HL will send a pointer to this, Rigo to relay to PRIMCluster 14:40:35 === coffee break === 14:41:46 see http://wiki.oasis-open.org/xacml/ProposalForObligations 14:49:42 obligation family draft 14:49:45 http://www.oasis-open.org/committees/download.php/27230/xacml-3.0-obligation-v1-wd-03.zip 15:03:23 we resume after the break 15:03:27 scribe: dsr 15:04:19 Topic: Credential-Based Access Control Extensions to XACML, (slides) Jan Camenisch, Sebastian Mődersheim, Gregory Neven, Franz-Stefan Preiss, and Dieter Sommer, IBM Research – Zurich, Switzerland 15:04:38 slides: http://www.w3.org/2009/policy-ws/slides/Neven%20credential-based.pdf 15:05:17 GN steps up to the podium to give the first of 2 talks 15:07:09 mario has joined #ACAS 15:09:00 Scribe: dsr 15:10:48 carrasco has joined #ACAS 15:17:55 GN: we want to move away from disclosing your identity to proving selected attributes as needed for the task in hand 15:18:06 HL: XACML has been that way from the start 15:19:02 GN: a concert ticket can be considered as a kind of credential 15:19:24 HL: there is a large literature on this that refers to that as a capability 15:20:36 DC: you probably mean trusted LDAP rather than LDAP since there is no trust model for data retrieved from a vanilla LDAP server 15:20:43 GN: yes 15:22:10 GN: one question for different solutiions is whether attributes are dynamic or static, and can they be authenticated 15:22:41 (see slide 9) 15:24:55 GN: reference to an attribute as {id, issuer} may not be sufficient, you also want to know the credential type involved 15:25:39 DC: you could cover this in an ontology that defines abstract types 15:26:22 HL: you can define an attribute type as {id, issue, credential} if you want 15:27:34 GN: sometimes it is critical that several attributes are from the same credential, e.g. credit card and expiry date 15:28:02 DC: better example first name and last name 15:28:46 GN: say you want to establish that your name is the same on two credentials but not to disclose your name 15:30:16 GN shows example policy (slide 11) 15:32:39 GN proposes use of SAML to carry conditions on attributes and provisional actions 15:33:01 This is to convey this information to a user agent (a client) 15:34:26 HL: any kind of credential has to be bound to the issuer, and a request/session 15:35:06 One of the issue features is called "holder of key" 15:35:39 HL and GN to take the details offline 15:36:38 GN: SAML needs extension to support any kind of proof token and not be restricted to XML signature 15:37:31 (DSR agrees with GN that authetication shouldn't be part of the access control directly, and should be instead associated metadata) 15:39:00 ??: What is the difference from X.509? 15:39:18 s/??/TCB 15:39:20 GN: we add a treatment of privacy 15:40:20 GN: we are proposing a generalization of existing technologies for use in access control 15:41:04 GN: X.509 is a special case of credential 15:41:42 Topic: PrimeLife Policy Language 15:41:53 slides: http://www.w3.org/2009/policy-ws/slides/Neven%20PrimeLife.pdf 15:43:53 GN introduces scenario of data subject communicating with data controller (slide 2) 15:45:07 Slide 3 introduces role of XACML for policies and SAML for conveying info 15:47:12 Sticky policy is a agreement of what data controller may do and must do in relation to data subject's personal data 15:48:03 s/of/on/ 15:49:47 tlr has joined #acas 15:50:42 Slide 8 summarises authorizations and access control. Note role of downstream access control 15:51:18 "aliens landing on earth" ? 15:52:07 an example of predefined trigger... 15:53:29 AM: XACML is a good standard, but there is an open hook for obligations, we need to reach interoperable standards for these 15:54:24 HL: that is a separate work item from XACML 15:54:52 HL: trying to standardize all possibilities would be a never ending task 15:55:26 AM: in OTC we're thinking of a registry binding URIs to meanings 15:55:57 HL: the most we could do in OASIS is a core set, but no interest in managing a registry 15:56:31 RW: social process to agree on terms 15:56:56 HL: there will always be things you forgot to specify, some wiggle room is needed 15:57:33 TCB: standards are about nailing things down, options work against interoperability 15:58:53 ML: binding language extensions to specs 16:00:08 RW: obligation element provides an extension point. Experience from PrimeLife shows that matching is important to a binding agreement 16:00:58 We should allow this world to be open and not closed (i.e. extensible) 16:02:12 At some point in time the various parties need to reach agreement to achieve interoparability 16:02:36 e.g. "must understand" conditions 16:03:26 AM: such agreements can use references to the share semantics 16:03:36 s/share/shared/ 16:04:16 RW: how can we bridge communities to support re-use of Semantic Web definitions? 16:05:09 AM: we need an attribute which references shared semantics, or which is left out for proprietary semantics 16:05:54 HL: currently XACML spec doesn't require the attribute to be de-reference-able 16:06:37 RW: no need to change the schema, we just need to redefine the meaning of id 16:07:00 AM: differentiate between identifier and concept 16:07:19 (i.e. between a name for a concept and the concept itself) 16:07:58 s/OTC/OGC/ 16:08:58 AM: asking for a possibility for an attribute for a URI that could be dereferencable. 16:09:14 HL: why not just use a XACML refererence (a URN) 16:09:43 TCB: it should be a URI 16:09:49 HL: It is defined as a URI 16:10:32 RW: what AM means is that OGC can define a URI for a set of meanings 16:11:02 HL: you wouldn't need to do that very often 16:11:26 RW: you wouldn't need to dereference the URI on every use 16:11:48 (caching/expiry metadata) 16:13:01 ML: wrt XACML triigers would be defined as elements within obligations? 16:13:13 GN: yes (showing example on slide 10) 16:13:53 AM: are there any WS-* standards that could help? 16:14:02 RW: WS-Policy? 16:14:04 HL: no 16:14:58 GN: slide 9 defines semantics for formal matching 16:15:13 HL: not just matching, rather partial ordering 16:15:15 GN: yes 16:16:10 HL: anyone want to make closing remarks on what should be included in workshop report? 16:17:07 tlr has joined #acas 16:17:14 AM raises issue of shared semantics for terms like delivery which can be used by both parties 16:17:30 GN: we use URIs to point to P3P vocabulary 16:17:55 RW: we could introduce a formal ontology for a richer vocabulary 16:19:11 HL thanks everyone for participating and contributing to the workshop. 16:20:51 FSP: approached HAL to see how much work would be involved in getting OASIS XACML TC to accept a profile including the PrimeLife ideas. 16:21:02 HL: does this extend the PrimeLife schema? 16:21:13 FSP: yes, slightly 16:21:55 HL: we're trying to close of XACML 3.0, so the mindset of the TC is likely to unwelcoming to changes 16:22:02 s/of/off/ 16:22:03 Example (mutatis mutandis) http://www.iana.org/protocols http://www.iana.org/assignments/language-subtag-registry 16:22:35 HL: you would get more attention after our next face to face 16:23:52 AM: as long as the core isn't change, it isn't a real problem, right? 16:23:54 HL: yes 16:24:13 end of workshop 16:24:27 rrsagent, make minutes 16:24:27 I have made the request to generate http://www.w3.org/2009/11/18-acas-minutes.html dsr 16:25:35 caribou has left #acas