OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

RE: XACML TC FAQ. Forwarded message from Carol Geyer.

  • 1.  RE: XACML TC FAQ. Forwarded message from Carol Geyer.

    Posted 08-25-2003 14:51
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: RE: XACML TC FAQ. Forwarded message from Carol Geyer.


    Carol Geyer at OASIS has proposed some edits to our draft FAQ.
    Does anyone object to these changes?
    
    The only one I am a bit unsure about is that the information
    about joining as an "observer" versus as a "prospective member"
    has been deleted (replaced with a pointer to the OASIS rules).
    We always seem to have 4 or 5 "prospective members" on the roster
    who never actually attend meetings.  I included the "observer"
    versus "prospective member" information in an attempt to make it
    more clear - perhaps the OASIS rules on membership are not clear
    enough, or are too hard to find and read through, particularly
    for someone who just wants to join the mailing list.
    
    Anyway, I will go with Carol's edits unless TC members object.
    
    Anne
    
    ------- start of forwarded message -------
    From: "Carol Geyer" <carol.geyer@oasis-open.org>
    To: <Anne.Anderson@sun.com>
    Subject: RE: XACML TC FAQ
    Date: Fri, 22 Aug 2003 17:10:17 -0400
    
    Anne,
    Thanks for preparing this. You've done a great job. I've made a few
    edits--mainly just to apply some consistency in naming and voice. I did
    cut out a few questions on the details of TC participation, since
    they're posted elsewhere on the OASIS site. These are just suggestions,
    so please feel free to let me know if I've changed anything you feel
    strongly about. Otherwise, Sharon will create the FAQ page as soon as
    she gets back from vacation on 2 Sept.
    
    Have a great weekend,
    Carol
    
    OASIS XACML TC FAQ
    1. What does the OASIS XACML Technical Committee do?
    The OASIS XACML TC focuses on the development of a standard access
    control policy language. "XACML" stands for "eXtensible Access Control
    Markup Language". The full charter is at
    http://www.oasis-open.org/committees/xacml/charter.php.
    
    2. What is the need for such a standard?
    Currently, there are many proprietary or application-specific access
    control policy languages. This means policies cannot be shared across
    different applications, and provides little incentive to develop good
    policy composition tools. Many of the existing languages do not support
    distributed policies, are not extensible, or are not expressive enough
    to meet new requirements. XACML enables the use of arbitrary attributes
    in policies, role-based access control, security labels, time/date-based
    policies, indexable policies, "deny" policies, and dynamic policies--all
    without requiring changes to the applications that use XACML. Adoption
    of XACML across vendor and product platforms should provide the
    opportunity for organizations to perform access and access policy audits
    directly across such systems.
    
    3. Who will benefit from XACML and how?
    Every developer, user, or maintainer of applications that require secure
    authorization will benefit.
    
    4. What has the OASIS XACML TC produced to date?
    In February of 2003, OASIS approved XACML Version 1.0 as an OASIS
    Standard. In August of 2003, the OASIS XACML TC approved XACML Version
    1.1 as an OASIS Committee Specification. The TC has not yet determined
    whether this should advance to OASIS Standard (not because it is not
    good enough, but because it contains only clarifications and minor
    changes, and does not change the Version 1.0 schemas). Links to these
    documents are available at
    http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.
    
    5. How does this work compare with related efforts at other standards
    organizations?
    No other standard access control language written in XML currently
    exists. The OASIS XACML TC is aware of several related efforts:
    <bullet>The OASIS Security Services Technical Committee
    <http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security>
    has defined the Security Assertion Markup Language (SAML). XACML is an
    outgrowth of work to support SAML's AuthorizationDecisionQuery protocol,
    although XACML is not intended to be limited to use with that protocol.
    There is currently a mismatch between the SAML 1.0 syntax and the XACML
    1.0 Request syntax, although it is possible to reconcile them with an
    XSLT. There are plans to resolve this in SAML 2.0.
    <bullet>ISO 10181-3 defines an architecture for access control, but not
    a language. In ISO 10181-3 terms, XACML 1.0 specifies an "Access Control
    Decision Function" (ADF), and defines its interactions with an "Access
    Control Enforcement Point" (AEF).
    <bullet>The IETF and Distributed Management Task Force (DMTF) have
    specified a framework for policies, but not a language. In IETF/DMTF
    terms, XACML 1.0 defines a "Policy Decision Point" (PDP), and defines
    its interactions with a "Policy Enforcement Point" (PEP).
    <bullet>The Open Group has defined an Authorization (AZN) API, but not a
    language for authorization policies themselves. The OASIS XACML TC does
    not define an API, but is designed to work well with SAML
    AuthorizationDecisionQuery and its related protocols.
    <bullet>ANSI is currently in the process of standardizing a framework
    and API for Role Based Access Control. The OASIS XACML TC is developing
    an XACML Profile for Role Based Access Control that satisfies the
    requirements of the proposed ANSI framework, although XACML does not map
    easily onto the proposed API.
    <bullet>The OASIS Rights Language TC
    <http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=rights> is
    currently discussing use cases and requirements that overlap with both
    XACML and SAML.
    
    6. What are the current activities of the OASIS XACML TC?
    Pointers to current working drafts including XACML profiles for Web
    services policy, XML Digital Signature, and Role Based Access Control
    are posted at
    http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml. In
    addition, the TC is working on major extensions that would go into XACML
    2.0. Periodically, a list of the current work items under consideration
    is posted to the OASIS XACML TC mailing list. There is not yet a
    schedule for completion of these activities, but all are being actively
    developed.
    
    7. Where are the archives for the OASIS XACML TC mailing lists?
    Publicly viewable archives are located at
    http://lists.oasis-open.org/archives/xacml/. There is also a mailing
    list of comments received, primarily during the public review period
    leading up to the 1.1 standard, archived at
    http://lists.oasis-open.org/archives/xacml-comment/.
    
    8. Who should be involved in the OASIS XACML TC?
    Anyone with an interest in access control, authorization, entitlement
    and related policy issues, either willing to propose requirements or
    contribute technically, should get involved. Existing OASIS members may
    join the TC by following instructions posted at
    http://www.oasis-open.org/committees/join.php. Non-members can find
    information on joining the Consortium at
    http://www.oasis-open.org/join/.
    
    9. When does the OASIS XACML TC meet?
    General body meetings are held by teleconference every other week.
    Usually there is an informal Focus Group meeting on alternate weeks at
    the same time, to delve into details on particular topics. The schedule
    for meetings is located at
    http://www.oasis-open.org/committees/calendar.php?wg_abbrev=xacml.