OASIS eXtensible Access Control Markup Language (XACML) TC

I have a number of different kinds of comments about the REST Profile and Media types which will post separately to allow the discussion to take place in distinct threads. I am not clear on what the general plan for this work is. First, Robin Cover noted that the IANA submission must refer to a document that is either an IETF RFC or an OASIS Standard (in our case). I assume that we are not doing an RFC, so we must bring the Media Types doc to Oasis Standard before doing the IANA submission. Agreed? Second, I assume the Media types document should refer to a document which has at least some level of approval. Does everyone agree on this? Is CD sufficient? CS? Next question is, do we plan to put the JSON material and everything else related in the REST Profile doc, or have a separate doc for some of it? Assuming a single doc, are we planning to complete it and then move it to CS and OS or attempt to standardize a preliminary doc which is missing some of the material? Assuming we will complete it and then move it forward, is there any necessary ordering between reaching any particular stage of the REST and media Profiles? Is there anything else we need to agree on with respect for the work plan? Hal

I believe we discussed on the last call that we would remove JSON from the XACML media type document and pursue JSON representation of XACML in a separate track. When the JSON profile is sorted out by the TC, then we can consider another IANA submission for a JSON media type, referencing the approved JSON profile. -Danny Danny Thorpe Product Architect Quest Software - Now including the people and products of BiTKOO www.quest.com -----Original Message----- From: xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] On Behalf Of Hal Lockhart Sent: Wednesday, May 16, 2012 1:15 PM To: xacml@lists.oasis-open.org Subject: [xacml] REST Profile - General Plan I have a number of different kinds of comments about the REST Profile and Media types which will post separately to allow the discussion to take place in distinct threads. I am not clear on what the general plan for this work is. First, Robin Cover noted that the IANA submission must refer to a document that is either an IETF RFC or an OASIS Standard (in our case). I assume that we are not doing an RFC, so we must bring the Media Types doc to Oasis Standard before doing the IANA submission. Agreed? Second, I assume the Media types document should refer to a document which has at least some level of approval. Does everyone agree on this? Is CD sufficient? CS? Next question is, do we plan to put the JSON material and everything else related in the REST Profile doc, or have a separate doc for some of it? Assuming a single doc, are we planning to complete it and then move it to CS and OS or attempt to standardize a preliminary doc which is missing some of the material? Assuming we will complete it and then move it forward, is there any necessary ordering between reaching any particular stage of the REST and media Profiles? Is there anything else we need to agree on with respect for the work plan? Hal --------------------------------------------------------------------- To unsubscribe, e-mail: xacml-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-help@lists.oasis-open.org

Hal, > -----Original Message----- > From: xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] On > Behalf Of Hal Lockhart > Sent: Wednesday, May 16, 2012 10:15 PM > To: xacml@lists.oasis-open.org > Subject: [xacml] REST Profile - General Plan > > I have a number of different kinds of comments about the REST Profile > and Media types which will post separately to allow the discussion to > take place in distinct threads. > > I am not clear on what the general plan for this work is. My proposal was the following: http://lists.oasis-open.org/archives/xacml/201205/msg00006.html > First, Robin Cover noted that the IANA submission must refer to a > document that is either an IETF RFC or an OASIS Standard (in our case). > I assume that we are not doing an RFC, so we must bring the Media Types > doc to Oasis Standard before doing the IANA submission. Agreed? Actually, I'm leaning more towards an RFC: http://lists.oasis-open.org/archives/xacml/201205/msg00006.html > Second, I assume the Media types document should refer to a document > which has at least some level of approval. Does everyone agree on this? > Is CD sufficient? CS? Per Robin's statement above it should be OS, right? > Next question is, do we plan to put the JSON material and everything > else related in the REST Profile doc, or have a separate doc for some > of it? Current consensus seems to be a separate document. David Brossard proposed his 'JSON over HTTP' profile: http://lists.oasis-open.org/archives/xacml/201205/msg00012.html But we may have to rename it? > Assuming a single doc, are we planning to complete it and then move it > to CS and OS or attempt to standardize a preliminary doc which is > missing some of the material? I vote we complete it and then move it forward. > Assuming we will complete it and then move it forward, is there any > necessary ordering between reaching any particular stage of the REST > and media Profiles? The JSON profile is independent of anything else, as is the registration of the XML format. The REST profile needs a representation (and would ideally reference the JSON and XML formats), but the meat of the profile can move forward without knowledge of the details of any such representation. So we may need to wait until the XML and JSON stuff is "done" to finalize the REST profile, but we can surely work on it in the mean time. > Is there anything else we need to agree on with respect for the work > plan? Don't think so. Thanks, Ray

> > I am not clear on what the general plan for this work is. > > My proposal was the following: > http://lists.oasis-open.org/archives/xacml/201205/msg00006.html > > My bad, I missed this message. > > First, Robin Cover noted that the IANA submission must refer to a > > document that is either an IETF RFC or an OASIS Standard (in our > case). > > I assume that we are not doing an RFC, so we must bring the Media > > Types doc to Oasis Standard before doing the IANA submission. Agreed? > > Actually, I'm leaning more towards an RFC: > http://lists.oasis-open.org/archives/xacml/201205/msg00006.html Ok, I am ignorant of what level of approval the RFC needs to get. Can you just get a number and write it up as informational, or do you need to create a working group, etc.? > > > > Second, I assume the Media types document should refer to a document > > which has at least some level of approval. Does everyone agree on > this? > > Is CD sufficient? CS? > > Per Robin's statement above it should be OS, right? What I was thinking of, was the case where the Media Types doc simply pointed at the REST Profile. If we are dropping the media types document, this question is moot. > > > > Next question is, do we plan to put the JSON material and everything > > else related in the REST Profile doc, or have a separate doc for some > > of it? > > Current consensus seems to be a separate document. David Brossard > proposed his 'JSON over HTTP' profile: > http://lists.oasis-open.org/archives/xacml/201205/msg00012.html > But we may have to rename it? > It may make sense to have a separate document for the JSON format of requests and perhaps policies, but I would think the material about how to put it in a message and process requests and responses would involve a lot of duplication between the two documents, which is usually a bad idea. I would like to hear other opinions on this. > > > Assuming a single doc, are we planning to complete it and then move > it > > to CS and OS or attempt to standardize a preliminary doc which is > > missing some of the material? > > I vote we complete it and then move it forward. > > > > Assuming we will complete it and then move it forward, is there any > > necessary ordering between reaching any particular stage of the REST > > and media Profiles? > > The JSON profile is independent of anything else, as is the > registration of the XML format. > > The REST profile needs a representation (and would ideally reference > the JSON and XML formats), but the meat of the profile can move forward > without knowledge of the details of any such representation. So we may > need to wait until the XML and JSON stuff is "done" to finalize the > REST profile, but we can surely work on it in the mean time. > So far what I have heard (outside the TC) is a lot of interest in REST with no XML, but not a whole lot of interest in XML over HTTP. What do others think? Hal

Hal, > -----Original Message----- > From: Hal Lockhart [ mailto:hal.lockhart@oracle.com ] > Sent: Thursday, May 17, 2012 4:24 PM > To: Sinnema, Remon > Cc: xacml@lists.oasis-open.org; robin@oasis-open.org > Subject: RE: [xacml] REST Profile - General Plan > > > > Second, I assume the Media types document should refer to a > document > > > which has at least some level of approval. Does everyone agree on > > this? > > > Is CD sufficient? CS? > > > > Per Robin's statement above it should be OS, right? > > What I was thinking of, was the case where the Media Types doc simply > pointed at the REST Profile. If we are dropping the media types > document, this question is moot. An RFC needs to point to something as well (the core XACML spec in the case of the XACML XML media type). I think that spec must be at OS, right? > It may make sense to have a separate document for the JSON format of > requests and perhaps policies, but I would think the material about how > to put it in a message and process requests and responses would involve > a lot of duplication between the two documents, which is usually a bad > idea. Indeed, that's why my proposal is to have a REST profile that defines the types of messages that can be sent, and separate profiles/RFCs that define the layout of the messages in XML, JSON, etc. > So far what I have heard (outside the TC) is a lot of interest in REST > with no XML, but not a whole lot of interest in XML over HTTP. What do > others think? I have an interest in XML over HTTP. We have a RESTful API over HTTP and store data in our native XML database. I also have an interest in JSON over HTTP. The beauty of REST is that the actual format used to represent resources isn't all that important, as long as it encodes the same information and allows navigating between resources. Thanks, Ray

Hal, > -----Original Message----- > From: Hal Lockhart [ mailto:hal.lockhart@oracle.com ] > Sent: Thursday, May 17, 2012 4:24 PM > To: Sinnema, Remon > Cc: xacml@lists.oasis-open.org; robin@oasis-open.org > Subject: RE: [xacml] REST Profile - General Plan > > So far what I have heard (outside the TC) is a lot of interest in REST > with no XML, but not a whole lot of interest in XML over HTTP. At last month's "XACML in Practice" seminar in the Netherlands, two different uses of XML over HTTP were presented: eRecognition is authentication (based on SAML) and authorization (based on XACML) infrastructure that is mandatory for all Dutch national, regional, and local government agencies. They use the SAML HTTP-Post binding for transport, but would have been better served by the functionality in the REST profile with the XML format. https://docs.google.com/file/d/0B73oMwBhIq9Ta3NYVmExa2N5V00/edit?pli=1 The European Grid Infrastructure is used by particle physics researchers in Europe (and the US) in a federated manner with virtual organizations. They send the XACML request/response over HTTP as well. https://docs.google.com/file/d/0B73oMwBhIq9TWm9pOU5uSHI1SEk/edit?pli=1 BTW, they make heavy use of obligations and could be a useful source of input should we wish to pursue the Obligation Family profile further. They also seem interested in the Metadata profile. Thanks, Ray P.S. The other presentations given at the seminar, including those of David Brossard and myself, can be found here: https://docs.google.com/folder/d/0B73oMwBhIq9TMjEzMjA1Y2EtYjVlZi00MDgxLTg2ZmMtZDlmNmRhODU3MmYx/edit?pli=1&docId=0B73oMwBhIq9Tdm40b0tZbDdRdzJZNTBWV2lyREpOUQ