OASIS eXtensible Access Control Markup Language (XACML) TC

Can someone answer this gentleman from http://public.eu-egee.org/.
Thanks,
Dee

-----Original Message-----
From: Yuri Demchenko [mailto:demch@chello.nl] 
Sent: Wednesday, March 05, 2008 4:52 AM
To: xacml-dev mailing list
Cc: Dee Schur; ggebel@burtongroup.com
Subject: InterOp and Attribute Identifiers? - Re: [xacml-users] OASIS XACML
InterOp Demo, RSA 2008, San Francisco, California, USA, April 7-11 2008

Hi Dee,
Hi Gerry,

Very interesting event!

Actually this announcement triggered my request to the list about 
defining new attribute and obligation identifiers (see my message of 
March 4, 2007, "Subject: [xacml-dev] Any rules/regulations for defining 
new AttributeId...")

Can you or somebody from potential interopers advice on the best 
practice for defining common attribute and obligation identifiers?

In particular, using OASIS prefix "urn:oasis:names:tc:xacml:2.0:" vs own 
namespace vs URL style?

Regards,

Yuri Demchenko
UvA, EGEE Project


Dee Schur wrote:
> 
> OASIS XACML InterOp Demo, RSA Conference 2008, San Francisco, California,
> USA, April 7-11 2008, Booths 132-136
> 
> The eXtensible Access Control Markup Language (XACML) 2.0 OASIS Standard
has
> emerged as a front runner in solving complex access control problems in
the
> enterprise. Unlike the approach taken by proprietary access control lists
> (ACL), XACML is an industry accepted standard that provides a well defined
> structure to create rules and policy sets to make complex authorization
> decisions.  Enterprise practitioners have wished for greater
> interoperability between products that support the XACML OASIS Standard.
> 
> At the RSA Conference 2008 in San Francisco, April 7-11, nine
organizations
> will come together to demonstrate interoperability of the eXtensible
Access
> Control Markup Language (XACML) 2.0 OASIS Standard. Simulating a real
world
> scenario provided by the U.S Department of Veterans Affairs; the demo will
> show how XACML ensures successful authorization decision requests and the
> exchange of authorization policies. Participants include:
> 
> .     Axiomatics
> .     BEA Systems
> .     IBM
> .     Oracle
> .     Red Hat
> .     Cisco
> .     Sun Microsystems
> .     U.S. Department of Veterans Affairs
> 
> The Interoperability Demonstration will utilize the requirements drawn in
> the Healthcare industry based on work done at the U.S. Department of
> Veterans Affairs, HL7, ASTM and ANSI.  The requirements include Role-Based
> Access Control (RBAC), Privacy Protections, Structured and Functional
Roles,
> Consent Codes, Emergency Overrides and Filtering of Sensitive Data. The
> demonstration will highlight how XACML Obligations can provide additional
> capabilities in the policy decision making process, while taking the
health
> care scenarios as example. Technical details of the demonstration,
including
> Interoperability Configuration, Policy Decision Request and Policy
> Interoperability, Roles and Privileges Modeling, Usage of XACML
Obligations
> and SAML Identity Providers will be highlighted.
> 
> The demonstration will occur in Booths 132-136 beginning April 7, 2008
> during Expo hours. There will be an opportunity for the RSA 2008 attendees
> to interact with the participating technologists.
> 
> ***Please distribute to colleagues**
> 
> For more information contact: jane.harnad@oasis-open.org or
> dee.schur@oasis-open.org
> 
> 
> 
> 
> --
> Gerry Gebel | VP & Service Director | Identity and Privacy Strategies |
> 

Yuri,

You should not use the oasis namespace. That's for us. :-) You might 
collide into something in the future.

If you own a piece of the urn: namespace, that would be fine I guess. 
Personally, I wouldn't just make up an urn with my own name in it. The 
list of registered namespaces seem to be here:

http://www.iana.org/assignments/urn-namespaces

So, I suggest that you use an URL which you own.

Regards,
Erik


Dee Schur wrote:
> Can someone answer this gentleman from http://public.eu-egee.org/.
> Thanks,
> Dee
>
> -----Original Message-----
> From: Yuri Demchenko [mailto:demch@chello.nl] 
> Sent: Wednesday, March 05, 2008 4:52 AM
> To: xacml-dev mailing list
> Cc: Dee Schur; ggebel@burtongroup.com
> Subject: InterOp and Attribute Identifiers? - Re: [xacml-users] OASIS XACML
> InterOp Demo, RSA 2008, San Francisco, California, USA, April 7-11 2008
>
> Hi Dee,
> Hi Gerry,
>
> Very interesting event!
>
> Actually this announcement triggered my request to the list about 
> defining new attribute and obligation identifiers (see my message of 
> March 4, 2007, "Subject: [xacml-dev] Any rules/regulations for defining 
> new AttributeId...")
>
> Can you or somebody from potential interopers advice on the best 
> practice for defining common attribute and obligation identifiers?
>
> In particular, using OASIS prefix "urn:oasis:names:tc:xacml:2.0:" vs own 
> namespace vs URL style?
>
> Regards,
>
> Yuri Demchenko
> UvA, EGEE Project
>
>
> Dee Schur wrote:
>   
>> OASIS XACML InterOp Demo, RSA Conference 2008, San Francisco, California,
>> USA, April 7-11 2008, Booths 132-136
>>
>> The eXtensible Access Control Markup Language (XACML) 2.0 OASIS Standard
>>     
> has
>   
>> emerged as a front runner in solving complex access control problems in
>>     
> the
>   
>> enterprise. Unlike the approach taken by proprietary access control lists
>> (ACL), XACML is an industry accepted standard that provides a well defined
>> structure to create rules and policy sets to make complex authorization
>> decisions.  Enterprise practitioners have wished for greater
>> interoperability between products that support the XACML OASIS Standard.
>>
>> At the RSA Conference 2008 in San Francisco, April 7-11, nine
>>     
> organizations
>   
>> will come together to demonstrate interoperability of the eXtensible
>>     
> Access
>   
>> Control Markup Language (XACML) 2.0 OASIS Standard. Simulating a real
>>     
> world
>   
>> scenario provided by the U.S Department of Veterans Affairs; the demo will
>> show how XACML ensures successful authorization decision requests and the
>> exchange of authorization policies. Participants include:
>>
>> .     Axiomatics
>> .     BEA Systems
>> .     IBM
>> .     Oracle
>> .     Red Hat
>> .     Cisco
>> .     Sun Microsystems
>> .     U.S. Department of Veterans Affairs
>>
>> The Interoperability Demonstration will utilize the requirements drawn in
>> the Healthcare industry based on work done at the U.S. Department of
>> Veterans Affairs, HL7, ASTM and ANSI.  The requirements include Role-Based
>> Access Control (RBAC), Privacy Protections, Structured and Functional
>>     
> Roles,
>   
>> Consent Codes, Emergency Overrides and Filtering of Sensitive Data. The
>> demonstration will highlight how XACML Obligations can provide additional
>> capabilities in the policy decision making process, while taking the
>>     
> health
>   
>> care scenarios as example. Technical details of the demonstration,
>>     
> including
>   
>> Interoperability Configuration, Policy Decision Request and Policy
>> Interoperability, Roles and Privileges Modeling, Usage of XACML
>>     
> Obligations
>   
>> and SAML Identity Providers will be highlighted.
>>
>> The demonstration will occur in Booths 132-136 beginning April 7, 2008
>> during Expo hours. There will be an opportunity for the RSA 2008 attendees
>> to interact with the participating technologists.
>>
>> ***Please distribute to colleagues**
>>
>> For more information contact: jane.harnad@oasis-open.org or
>> dee.schur@oasis-open.org
>>
>>
>>
>>
>> --
>> Gerry Gebel | VP & Service Director | Identity and Privacy Strategies |
>> 

Honestly, this needs to go on a FAQ on the xacml site.

Erik Rissanen wrote:
> Yuri,
> 
> You should not use the oasis namespace. That's for us. :-) You might 
> collide into something in the future.
> 
> If you own a piece of the urn: namespace, that would be fine I guess. 
> Personally, I wouldn't just make up an urn with my own name in it. The 
> list of registered namespaces seem to be here:
> 
> http://www.iana.org/assignments/urn-namespaces
> 
> So, I suggest that you use an URL which you own.
> 
> Regards,
> Erik
> 
> 
> Dee Schur wrote:
>> Can someone answer this gentleman from http://public.eu-egee.org/.
>> Thanks,
>> Dee
>>
>> -----Original Message-----
>> From: Yuri Demchenko [mailto:demch@chello.nl] Sent: Wednesday, March 
>> 05, 2008 4:52 AM
>> To: xacml-dev mailing list
>> Cc: Dee Schur; ggebel@burtongroup.com
>> Subject: InterOp and Attribute Identifiers? - Re: [xacml-users] OASIS 
>> XACML
>> InterOp Demo, RSA 2008, San Francisco, California, USA, April 7-11 2008
>>
>> Hi Dee,
>> Hi Gerry,
>>
>> Very interesting event!
>>
>> Actually this announcement triggered my request to the list about 
>> defining new attribute and obligation identifiers (see my message of 
>> March 4, 2007, "Subject: [xacml-dev] Any rules/regulations for 
>> defining new AttributeId...")
>>
>> Can you or somebody from potential interopers advice on the best 
>> practice for defining common attribute and obligation identifiers?
>>
>> In particular, using OASIS prefix "urn:oasis:names:tc:xacml:2.0:" vs 
>> own namespace vs URL style?
>>
>> Regards,
>>
>> Yuri Demchenko
>> UvA, EGEE Project
>>
>>
>> Dee Schur wrote:
>>  
>>> OASIS XACML InterOp Demo, RSA Conference 2008, San Francisco, 
>>> California,
>>> USA, April 7-11 2008, Booths 132-136
>>>
>>> The eXtensible Access Control Markup Language (XACML) 2.0 OASIS Standard
>>>     
>> has
>>  
>>> emerged as a front runner in solving complex access control problems in
>>>     
>> the
>>  
>>> enterprise. Unlike the approach taken by proprietary access control 
>>> lists
>>> (ACL), XACML is an industry accepted standard that provides a well 
>>> defined
>>> structure to create rules and policy sets to make complex authorization
>>> decisions.  Enterprise practitioners have wished for greater
>>> interoperability between products that support the XACML OASIS Standard.
>>>
>>> At the RSA Conference 2008 in San Francisco, April 7-11, nine
>>>     
>> organizations
>>  
>>> will come together to demonstrate interoperability of the eXtensible
>>>     
>> Access
>>  
>>> Control Markup Language (XACML) 2.0 OASIS Standard. Simulating a real
>>>     
>> world
>>  
>>> scenario provided by the U.S Department of Veterans Affairs; the demo 
>>> will
>>> show how XACML ensures successful authorization decision requests and 
>>> the
>>> exchange of authorization policies. Participants include:
>>>
>>> .     Axiomatics
>>> .     BEA Systems
>>> .     IBM
>>> .     Oracle
>>> .     Red Hat
>>> .     Cisco
>>> .     Sun Microsystems
>>> .     U.S. Department of Veterans Affairs
>>>
>>> The Interoperability Demonstration will utilize the requirements 
>>> drawn in
>>> the Healthcare industry based on work done at the U.S. Department of
>>> Veterans Affairs, HL7, ASTM and ANSI.  The requirements include 
>>> Role-Based
>>> Access Control (RBAC), Privacy Protections, Structured and Functional
>>>     
>> Roles,
>>  
>>> Consent Codes, Emergency Overrides and Filtering of Sensitive Data. The
>>> demonstration will highlight how XACML Obligations can provide 
>>> additional
>>> capabilities in the policy decision making process, while taking the
>>>     
>> health
>>  
>>> care scenarios as example. Technical details of the demonstration,
>>>     
>> including
>>  
>>> Interoperability Configuration, Policy Decision Request and Policy
>>> Interoperability, Roles and Privileges Modeling, Usage of XACML
>>>     
>> Obligations
>>  
>>> and SAML Identity Providers will be highlighted.
>>>
>>> The demonstration will occur in Booths 132-136 beginning April 7, 2008
>>> during Expo hours. There will be an opportunity for the RSA 2008 
>>> attendees
>>> to interact with the participating technologists.
>>>
>>> ***Please distribute to colleagues**
>>>
>>> For more information contact: jane.harnad@oasis-open.org or
>>> dee.schur@oasis-open.org
>>>
>>>
>>>

Strongly agree.
Dee

-----Original Message-----
From: Anil Saldhana [mailto:Anil.Saldhana@redhat.com] 
Sent: Wednesday, March 05, 2008 4:31 PM
Cc: XACML TC
Subject: Re: [xacml] FW: InterOp and Attribute Identifiers? - Re:
[xacml-users] OASIS XACML InterOp Demo, RSA 2008, San Francisco, California,
USA, April 7-11 2008

Honestly, this needs to go on a FAQ on the xacml site.

Erik Rissanen wrote:
> Yuri,
> 
> You should not use the oasis namespace. That's for us. :-) You might 
> collide into something in the future.
> 
> If you own a piece of the urn: namespace, that would be fine I guess. 
> Personally, I wouldn't just make up an urn with my own name in it. The 
> list of registered namespaces seem to be here:
> 
> http://www.iana.org/assignments/urn-namespaces
> 
> So, I suggest that you use an URL which you own.
> 
> Regards,
> Erik
> 
> 
> Dee Schur wrote:
>> Can someone answer this gentleman from http://public.eu-egee.org/.
>> Thanks,
>> Dee
>>
>> -----Original Message-----
>> From: Yuri Demchenko [mailto:demch@chello.nl] Sent: Wednesday, March 
>> 05, 2008 4:52 AM
>> To: xacml-dev mailing list
>> Cc: Dee Schur; ggebel@burtongroup.com
>> Subject: InterOp and Attribute Identifiers? - Re: [xacml-users] OASIS 
>> XACML
>> InterOp Demo, RSA 2008, San Francisco, California, USA, April 7-11 2008
>>
>> Hi Dee,
>> Hi Gerry,
>>
>> Very interesting event!
>>
>> Actually this announcement triggered my request to the list about 
>> defining new attribute and obligation identifiers (see my message of 
>> March 4, 2007, "Subject: [xacml-dev] Any rules/regulations for 
>> defining new AttributeId...")
>>
>> Can you or somebody from potential interopers advice on the best 
>> practice for defining common attribute and obligation identifiers?
>>
>> In particular, using OASIS prefix "urn:oasis:names:tc:xacml:2.0:" vs 
>> own namespace vs URL style?
>>
>> Regards,
>>
>> Yuri Demchenko
>> UvA, EGEE Project
>>
>>
>> Dee Schur wrote:
>>  
>>> OASIS XACML InterOp Demo, RSA Conference 2008, San Francisco, 
>>> California,
>>> USA, April 7-11 2008, Booths 132-136
>>>
>>> The eXtensible Access Control Markup Language (XACML) 2.0 OASIS Standard
>>>     
>> has
>>  
>>> emerged as a front runner in solving complex access control problems in
>>>     
>> the
>>  
>>> enterprise. Unlike the approach taken by proprietary access control 
>>> lists
>>> (ACL), XACML is an industry accepted standard that provides a well 
>>> defined
>>> structure to create rules and policy sets to make complex authorization
>>> decisions.  Enterprise practitioners have wished for greater
>>> interoperability between products that support the XACML OASIS Standard.
>>>
>>> At the RSA Conference 2008 in San Francisco, April 7-11, nine
>>>     
>> organizations
>>  
>>> will come together to demonstrate interoperability of the eXtensible
>>>     
>> Access
>>  
>>> Control Markup Language (XACML) 2.0 OASIS Standard. Simulating a real
>>>     
>> world
>>  
>>> scenario provided by the U.S Department of Veterans Affairs; the demo 
>>> will
>>> show how XACML ensures successful authorization decision requests and 
>>> the
>>> exchange of authorization policies. Participants include:
>>>
>>> .     Axiomatics
>>> .     BEA Systems
>>> .     IBM
>>> .     Oracle
>>> .     Red Hat
>>> .     Cisco
>>> .     Sun Microsystems
>>> .     U.S. Department of Veterans Affairs
>>>
>>> The Interoperability Demonstration will utilize the requirements 
>>> drawn in
>>> the Healthcare industry based on work done at the U.S. Department of
>>> Veterans Affairs, HL7, ASTM and ANSI.  The requirements include 
>>> Role-Based
>>> Access Control (RBAC), Privacy Protections, Structured and Functional
>>>     
>> Roles,
>>  
>>> Consent Codes, Emergency Overrides and Filtering of Sensitive Data. The
>>> demonstration will highlight how XACML Obligations can provide 
>>> additional
>>> capabilities in the policy decision making process, while taking the
>>>     
>> health
>>  
>>> care scenarios as example. Technical details of the demonstration,
>>>     
>> including
>>  
>>> Interoperability Configuration, Policy Decision Request and Policy
>>> Interoperability, Roles and Privileges Modeling, Usage of XACML
>>>     
>> Obligations
>>  
>>> and SAML Identity Providers will be highlighted.
>>>
>>> The demonstration will occur in Booths 132-136 beginning April 7, 2008
>>> during Expo hours. There will be an opportunity for the RSA 2008 
>>> attendees
>>> to interact with the participating technologists.
>>>
>>> ***Please distribute to colleagues**
>>>
>>> For more information contact: jane.harnad@oasis-open.org or
>>> dee.schur@oasis-open.org
>>>
>>>
>>>

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

See below...

Dee Schur wrote:
> Can someone answer this gentleman from http://public.eu-egee.org/.
> Thanks,
> Dee
>
> -----Original Message-----
> From: Yuri Demchenko [mailto:demch@chello.nl]
> Sent: Wednesday, March 05, 2008 4:52 AM
> To: xacml-dev mailing list
> Cc: Dee Schur; ggebel@burtongroup.com
> Subject: InterOp and Attribute Identifiers? - Re: [xacml-users] OASIS
> XACML
> InterOp Demo, RSA 2008, San Francisco, California, USA, April 7-11 2008
>
> Hi Dee,
> Hi Gerry,
>
> Very interesting event!
>
> Actually this announcement triggered my request to the list about
> defining new attribute and obligation identifiers (see my message of
> March 4, 2007, "Subject: [xacml-dev] Any rules/regulations for defining
> new AttributeId...")
>
> Can you or somebody from potential interopers advice on the best
> practice for defining common attribute and obligation identifiers?
>
> In particular, using OASIS prefix "urn:oasis:names:tc:xacml:2.0:" vs own
> namespace vs URL style?

In general you should use your own prefix. The OASIS one is reserved for
the enumerators agreed upon by OASIS standardization process. The tooling
is expected to handle non-OASIS extensions gracefully.

Any sensible software implementation is extensible in terms of the
enumerators it accepts and if you invent new ones, it stands to reason
that the implementations should be able to handle them as unknown, but
legit extensions.

For some intervening layers that is sufficient, but eventually you want
your enumerator to be semantically understood and acted upon. At this
crucial point the standardized enumerators have a good chance of being
correctly understood whereas the nonstandard ones (defacto, common use)
will have varying track record depending on their adoption.

If you need specific advice, please do not hesitate to contact me.

Cheers,
--Sampo

> Regards,
>
> Yuri Demchenko
> UvA, EGEE Project
>
> Dee Schur wrote:
>>
>> OASIS XACML InterOp Demo, RSA Conference 2008, San Francisco,
>> California,
>> USA, April 7-11 2008, Booths 132-136
>>
>> The eXtensible Access Control Markup Language (XACML) 2.0 OASIS Standard
> has
>> emerged as a front runner in solving complex access control problems in
> the
>> enterprise. Unlike the approach taken by proprietary access control
>> lists
>> (ACL), XACML is an industry accepted standard that provides a well
>> defined
>> structure to create rules and policy sets to make complex authorization
>> decisions.  Enterprise practitioners have wished for greater
>> interoperability between products that support the XACML OASIS Standard.
>>
>> At the RSA Conference 2008 in San Francisco, April 7-11, nine
> organizations
>> will come together to demonstrate interoperability of the eXtensible
> Access
>> Control Markup Language (XACML) 2.0 OASIS Standard. Simulating a real
> world
>> scenario provided by the U.S Department of Veterans Affairs; the demo
>> will
>> show how XACML ensures successful authorization decision requests and
>> the
>> exchange of authorization policies. Participants include:
>>
>> .     Axiomatics
>> .     BEA Systems
>> .     IBM
>> .     Oracle
>> .     Red Hat
>> .     Cisco
>> .     Sun Microsystems
>> .     U.S. Department of Veterans Affairs
>>
>> The Interoperability Demonstration will utilize the requirements drawn
>> in
>> the Healthcare industry based on work done at the U.S. Department of
>> Veterans Affairs, HL7, ASTM and ANSI.  The requirements include
>> Role-Based
>> Access Control (RBAC), Privacy Protections, Structured and Functional
> Roles,
>> Consent Codes, Emergency Overrides and Filtering of Sensitive Data. The
>> demonstration will highlight how XACML Obligations can provide
>> additional
>> capabilities in the policy decision making process, while taking the
> health
>> care scenarios as example. Technical details of the demonstration,
> including
>> Interoperability Configuration, Policy Decision Request and Policy
>> Interoperability, Roles and Privileges Modeling, Usage of XACML
> Obligations
>> and SAML Identity Providers will be highlighted.
>>
>> The demonstration will occur in Booths 132-136 beginning April 7, 2008
>> during Expo hours. There will be an opportunity for the RSA 2008
>> attendees
>> to interact with the participating technologists.
>>
>> ***Please distribute to colleagues**
>>
>> For more information contact: jane.harnad@oasis-open.org or
>> dee.schur@oasis-open.org
>>
>>
>>
>>
>> --
>> Gerry Gebel | VP & Service Director | Identity and Privacy Strategies |
>>