MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: XACML TC FAQ. Forwarded message from Carol Geyer.
Carol Geyer at OASIS has proposed some edits to our draft FAQ.
Does anyone object to these changes?
The only one I am a bit unsure about is that the information
about joining as an "observer" versus as a "prospective member"
has been deleted (replaced with a pointer to the OASIS rules).
We always seem to have 4 or 5 "prospective members" on the roster
who never actually attend meetings. I included the "observer"
versus "prospective member" information in an attempt to make it
more clear - perhaps the OASIS rules on membership are not clear
enough, or are too hard to find and read through, particularly
for someone who just wants to join the mailing list.
Anyway, I will go with Carol's edits unless TC members object.
Anne
------- start of forwarded message -------
From: "Carol Geyer" <carol.geyer@oasis-open.org>
To: <Anne.Anderson@sun.com>
Subject: RE: XACML TC FAQ
Date: Fri, 22 Aug 2003 17:10:17 -0400
Anne,
Thanks for preparing this. You've done a great job. I've made a few
edits--mainly just to apply some consistency in naming and voice. I did
cut out a few questions on the details of TC participation, since
they're posted elsewhere on the OASIS site. These are just suggestions,
so please feel free to let me know if I've changed anything you feel
strongly about. Otherwise, Sharon will create the FAQ page as soon as
she gets back from vacation on 2 Sept.
Have a great weekend,
Carol
OASIS XACML TC FAQ
1. What does the OASIS XACML Technical Committee do?
The OASIS XACML TC focuses on the development of a standard access
control policy language. "XACML" stands for "eXtensible Access Control
Markup Language". The full charter is at
http://www.oasis-open.org/committees/xacml/charter.php.
2. What is the need for such a standard?
Currently, there are many proprietary or application-specific access
control policy languages. This means policies cannot be shared across
different applications, and provides little incentive to develop good
policy composition tools. Many of the existing languages do not support
distributed policies, are not extensible, or are not expressive enough
to meet new requirements. XACML enables the use of arbitrary attributes
in policies, role-based access control, security labels, time/date-based
policies, indexable policies, "deny" policies, and dynamic policies--all
without requiring changes to the applications that use XACML. Adoption
of XACML across vendor and product platforms should provide the
opportunity for organizations to perform access and access policy audits
directly across such systems.
3. Who will benefit from XACML and how?
Every developer, user, or maintainer of applications that require secure
authorization will benefit.
4. What has the OASIS XACML TC produced to date?
In February of 2003, OASIS approved XACML Version 1.0 as an OASIS
Standard. In August of 2003, the OASIS XACML TC approved XACML Version
1.1 as an OASIS Committee Specification. The TC has not yet determined
whether this should advance to OASIS Standard (not because it is not
good enough, but because it contains only clarifications and minor
changes, and does not change the Version 1.0 schemas). Links to these
documents are available at
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.
5. How does this work compare with related efforts at other standards
organizations?
No other standard access control language written in XML currently
exists. The OASIS XACML TC is aware of several related efforts:
<bullet>The OASIS Security Services Technical Committee
<http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security>
has defined the Security Assertion Markup Language (SAML). XACML is an
outgrowth of work to support SAML's AuthorizationDecisionQuery protocol,
although XACML is not intended to be limited to use with that protocol.
There is currently a mismatch between the SAML 1.0 syntax and the XACML
1.0 Request syntax, although it is possible to reconcile them with an
XSLT. There are plans to resolve this in SAML 2.0.
<bullet>ISO 10181-3 defines an architecture for access control, but not
a language. In ISO 10181-3 terms, XACML 1.0 specifies an "Access Control
Decision Function" (ADF), and defines its interactions with an "Access
Control Enforcement Point" (AEF).
<bullet>The IETF and Distributed Management Task Force (DMTF) have
specified a framework for policies, but not a language. In IETF/DMTF
terms, XACML 1.0 defines a "Policy Decision Point" (PDP), and defines
its interactions with a "Policy Enforcement Point" (PEP).
<bullet>The Open Group has defined an Authorization (AZN) API, but not a
language for authorization policies themselves. The OASIS XACML TC does
not define an API, but is designed to work well with SAML
AuthorizationDecisionQuery and its related protocols.
<bullet>ANSI is currently in the process of standardizing a framework
and API for Role Based Access Control. The OASIS XACML TC is developing
an XACML Profile for Role Based Access Control that satisfies the
requirements of the proposed ANSI framework, although XACML does not map
easily onto the proposed API.
<bullet>The OASIS Rights Language TC
<http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=rights> is
currently discussing use cases and requirements that overlap with both
XACML and SAML.
6. What are the current activities of the OASIS XACML TC?
Pointers to current working drafts including XACML profiles for Web
services policy, XML Digital Signature, and Role Based Access Control
are posted at
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml. In
addition, the TC is working on major extensions that would go into XACML
2.0. Periodically, a list of the current work items under consideration
is posted to the OASIS XACML TC mailing list. There is not yet a
schedule for completion of these activities, but all are being actively
developed.
7. Where are the archives for the OASIS XACML TC mailing lists?
Publicly viewable archives are located at
http://lists.oasis-open.org/archives/xacml/. There is also a mailing
list of comments received, primarily during the public review period
leading up to the 1.1 standard, archived at
http://lists.oasis-open.org/archives/xacml-comment/.
8. Who should be involved in the OASIS XACML TC?
Anyone with an interest in access control, authorization, entitlement
and related policy issues, either willing to propose requirements or
contribute technically, should get involved. Existing OASIS members may
join the TC by following instructions posted at
http://www.oasis-open.org/committees/join.php. Non-members can find
information on joining the Consortium at
http://www.oasis-open.org/join/.
9. When does the OASIS XACML TC meet?
General body meetings are held by teleconference every other week.
Usually there is an informal Focus Group meeting on alternate weeks at
the same time, to delve into details on particular topics. The schedule
for meetings is located at
http://www.oasis-open.org/committees/calendar.php?wg_abbrev=xacml.