OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Groups - IPC WD-05 uploaded

    Posted 10-14-2011 17:27
    Submitter's message WD-05 contains sample requests and policies. -- Mr. John Tolbert Document Name : IPC WD-05 Description XACML Intellectual Property Controls profile, working draft 5 Download Latest Revision Public Download Link Submitter : Mr. John Tolbert Group : OASIS eXtensible Access Control Markup Language (XACML) TC Folder : Specifications and Working Drafts Date submitted : 2011-10-14 10:26:53


  • 2.  RE: [xacml] Groups - IPC WD-05 uploaded

    Posted 10-19-2011 15:12
    The examples are a step forward, but they need to be valid per the wd-17 schema and use the proposed IPC attribute ids.  One way to create valid XML is to use a schema-aware xml editor.  I just updated http://wiki.oasis-open.org/xacml/RelaxNG_Schemas with the wd-17 schema for the benefit of those who use emacs nxml-mode or some other RelaxNG tool.   I’ve attached a partially-corrected version of the first policy—it is schema-valid but still has some nonstandard AttributeIds.   Also attached is an html view of the policy which employs a graphical notation to show attribute constraints in target matches and conditions.   I will have more comments on the business intent of the policies, but my first impression is that they are more academic in nature than real-world.  Copyrights and trademarks are by definition already protected IP, and although XACML can be used to enforce license agreements around these types of IP I do not see that as the biggest challenge in this space.  The trade secret policy is meatier; I will have more comments and some alternate approaches for this.   Regards, --Paul   From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of John Tolbert Sent: Friday, October 14, 2011 12:27 To: xacml@lists.oasis-open.org Subject: [xacml] Groups - IPC WD-05 uploaded   Submitter's message WD-05 contains sample requests and policies. -- Mr. John Tolbert Document Name : IPC WD-05 Description XACML Intellectual Property Controls profile, working draft 5 Download Latest Revision Public Download Link Submitter : Mr. John Tolbert Group : OASIS eXtensible Access Control Markup Language (XACML) TC Folder : Specifications and Working Drafts Date submitted : 2011-10-14 10:26:53   Title: copyright-approve Policy: copyright-approve Version: 1 Description Example access control policy for copyright material Target This policy applies to requests that meet the following conditions. string-equal COPYRIGHT Resource@ip-type Rules The rule combining algorithm is deny-overrides . Rule: right to use copyrighted material match allow if subject's association to the designated custodian of the copyright agrees Target This policy applies to requests that meet the following conditions. and string-equal Wiley Corp Subject@Organizational-Affiliation string-equal CR101 Subject@Agreement-Designator string-equal CR101 Resource@agreement-designator string-equal Acme Resource@ip-owner string-equal Wiley Corp Resource@ip-designee Condition IF THEN and date-greater-than-or-equal date-one-and-only Environment@current-date date-one-and-only Resource@effective-date date-less-than-or-equal date-one-and-only Environment@current-date date-one-and-only Resource@expiration-date Permit Obligations Obligation: urn:oasis:names:tc:ipc:1.0:obligation:encrypt Fulfill on Permit Obligation: urn:oasis:names:tc:ipc:1.0:obligation:marking Fulfill on Permit Attribute assignments id value urn:oasis:names:tc:xacml:2.0:example:attribute:text ©2011 Acme <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="copyright-approve" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description>Example access control policy for copyright material</Description> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string" ;>COPYRIGHT </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:ip-type" DataType=" http://www.w3.org/2001/XMLSchema#string" ; MustBePresent="false"/> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="right to use copyrighted material match" Effect="Permit"> <Description> allow if subject's association to the designated custodian of the copyright agrees </Description> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string" ;>Wiley Corp </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="Organizational-Affiliation" DataType=" http://www.w3.org/2001/XMLSchema#string" ; MustBePresent="false"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string" ;>CR101 </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="Agreement-Designator" DataType=" http://www.w3.org/2001/XMLSchema#string" ; MustBePresent="false"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string" ;>CR101 </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:agreement-designator" DataType=" http://www.w3.org/2001/XMLSchema#string" ; MustBePresent="false"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string" ;>Acme </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:ip-owner" DataType=" http://www.w3.org/2001/XMLSchema#string" ; MustBePresent="false"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string" ;>Wiley Corp </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:ip-designee" DataType=" http://www.w3.org/2001/XMLSchema#string" ; MustBePresent="false"/> </Match> </AllOf> </AnyOf> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType=" http://www.w3.org/2001/XMLSchema#date" ; AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" MustBePresent="false"/> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:effective-date" DataType=" http://www.w3.org/2001/XMLSchema#date" ; MustBePresent="false"/> </Apply> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType=" http://www.w3.org/2001/XMLSchema#date" ; AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" MustBePresent="false"/> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:expiration-date" DataType=" http://www.w3.org/2001/XMLSchema#date" ; MustBePresent="false"/> </Apply> </Apply> </Apply> </Condition> </Rule> <ObligationExpressions> <ObligationExpression ObligationId="urn:oasis:names:tc:ipc:1.0:obligation:encrypt" FulfillOn="Permit"/> <ObligationExpression ObligationId="urn:oasis:names:tc:ipc:1.0:obligation:marking" FulfillOn="Permit"> <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text"> <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string" ;> ©2011 Acme</AttributeValue> </AttributeAssignmentExpression> </ObligationExpression> </ObligationExpressions> </Policy>

    Attachment(s)

    html
    policy412.html   10 KB 1 version
    xml
    policy412.xml   5 KB 1 version


  • 3.  Re: [xacml] Groups - IPC WD-05 uploaded

    Posted 10-20-2011 07:50
    John, Here are some comments on the updated profile. Sections 2.11, 2.1.5 (possible some others as well): Would you consider using a URI rather than a string for the type of these attributes? URIs are divided in namespaces, which is useful since you expect that other values may be defined in the future. With a string type, there is the risk of colliding definitions by different groups defining new values. Section 2.3: What is the identifier urn:oasis:names:tc:xacml:3.0:profiles:ipc:obligation used for? Section 2.3.1 and others: urn:oasis:names:tc:xacml:3.0:policy:schema:os is not the XACML schema namespace. Best regards, Erik On 2011-10-14 19:26, John Tolbert wrote: Submitter's message WD-05 contains sample requests and policies. -- Mr. John Tolbert Document Name : IPC WD-05 Description XACML Intellectual Property Controls profile, working draft 5 Download Latest Revision Public Download Link Submitter : Mr. John Tolbert Group : OASIS eXtensible Access Control Markup Language (XACML) TC Folder : Specifications and Working Drafts Date submitted : 2011-10-14 10:26:53


  • 4.  RE: [xacml] Groups - IPC WD-05 uploaded

    Posted 11-03-2011 15:25
      |   view attached
    I’m not through making comments, but I wanted to get this out for discussion.  I think we still have a ways to go on this.  My primary concern is not to standardize too much without sufficient motivation or evidence.   Regards, --Paul   From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of John Tolbert Sent: Friday, October 14, 2011 12:27 PM To: xacml@lists.oasis-open.org Subject: [xacml] Groups - IPC WD-05 uploaded   Submitter's message WD-05 contains sample requests and policies. -- Mr. John Tolbert Document Name : IPC WD-05 Description XACML Intellectual Property Controls profile, working draft 5 Download Latest Revision Public Download Link Submitter : Mr. John Tolbert Group : OASIS eXtensible Access Control Markup Language (XACML) TC Folder : Specifications and Working Drafts Date submitted : 2011-10-14 10:26:53   Attachment: xacml-3 0-ipc-v1 0-spec-wd-05pht20111103.docx Description: xacml-3 0-ipc-v1 0-spec-wd-05pht20111103.docx

    Attachment(s)



  • 5.  RE: [xacml] Groups - IPC WD-05 uploaded

    Posted 11-03-2011 16:27
    Paul,   I am okay with most of the glossary additions/changes and changes to the descriptive text in the attributes.  I would prefer to keep “Agreement-Designator” instead of “IP-Agreement”, because language granting rights to IP resources often occurs outside an agreement which is solely about IP.  This is another reason why we need a “third-person” way of representing legal agreements in XACML, as you postulated earlier.    Responding to input from our last meeting, I have started WD-06 with a restructuring of the resource attributes.  I have also included “creator” and “rights” from Dublin Core, and referenced them as such.  I have removed “IP-Type” and “IP-Data”, and substituted Boolean data types for each of the top-level types, and string/date data types for the products of the former IP-Type x IP-Data matrix.    2.1 Resource Attributes 2.1.1 Copyright  (Boolean) 2.1.2 Copyright-Creator  (String) 2.1.3 Copyright-Registration  (String) 2.1.4 Patent  (Boolean) 2.1.5 Patent-Registration  (String) 2.1.6 Proprietary  (Boolean) 2.1.7 Public-Domain  (Boolean) 2.1.8 Trademark  (Boolean) 2.1.9 IP-Owner  (String) 2.1.10 IP-Designee  (String) 2.1.11 Agreement-Type  (String) 2.1.12 Agreement-Designator  (String) 2.1.13 Rights  (String) 2.1.14 Effective-Date  (Date) 2.1.15 Expiration-Date  (Date) 2.2 Subject Attributes 2.2.1 Organizational-Affiliation  (String) 2.2.2 Affiliation-Type  (String) 2.2.3 Agreement-Designator  (String)   I am interested in additional feedback on the idea of having separate effective/expiration date attributes for copyright, patent, and trademark registrations.   I believe these changes should aid understanding and simplify policy authoring.  I also believe that, while the structure of the profile has changed in the various iterations, the core concepts expressed have remained essentially the same, and that we are reasonably close to finalizing this profile for now.  I do not think we are standardizing too much.  The attribute list reflects a fairly broad and not industry/ country specific interpretation of how access to intellectual property resources can be governed.  Not every IP authorization decision will use every attribute listed.  Furthermore, I know that organizations will need to define additional attributes for their own internal purposes.  This profile establishes a baseline that can promote interoperability and can be used as a framework to advance the common framework for IP authorization decisions.   Thanks,   John     From: Tyson, Paul H [mailto:PTyson@bellhelicopter.textron.com] Sent: Thursday, November 03, 2011 8:25 AM To: Tolbert, John W; xacml@lists.oasis-open.org Subject: RE: [xacml] Groups - IPC WD-05 uploaded   I’m not through making comments, but I wanted to get this out for discussion.  I think we still have a ways to go on this.  My primary concern is not to standardize too much without sufficient motivation or evidence.   Regards, --Paul   From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of John Tolbert Sent: Friday, October 14, 2011 12:27 PM To: xacml@lists.oasis-open.org Subject: [xacml] Groups - IPC WD-05 uploaded   Submitter's message WD-05 contains sample requests and policies. -- Mr. John Tolbert Document Name : IPC WD-05 Description XACML Intellectual Property Controls profile, working draft 5 Download Latest Revision Public Download Link Submitter : Mr. John Tolbert Group : OASIS eXtensible Access Control Markup Language (XACML) TC Folder : Specifications and Working Drafts Date submitted : 2011-10-14 10:26:53  


  • 6.  RE: [xacml] Groups - IPC WD-05 uploaded

    Posted 11-08-2011 15:43
    OK, I can go along with this set of attributes.  As we discussed at the last TC telecon, maybe use “agreement-id” instead of “agreement-designator”.   Please make sure to specify the meaning of each attribute as precisely as possible.  I tried to do this in the marked-up document I posted last week.   As for adopting foreign vocabulary terms (e.g. Dublin core), I am leaning more against that unless the foreign term is defined in its native context to have a value range compatible with XACML datatypes.  That would exclude dc:creator, which has a range of dc:Agent.  On the other hand, dc:created (date of creation) is defined with a range of rdfs:Literal.  Instances of xs:date or xs:dateTime are literal values, so it would be OK to define dc:created as a XACML attribute with datatype of xs:date or xs:dateTime.  (See http://dublincore.org/documents/2010/10/11/dcmi-terms/)   Regards, --Paul   From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Tolbert, John W Sent: Thursday, November 03, 2011 11:27 AM To: Tyson, Paul H; xacml@lists.oasis-open.org Subject: RE: [xacml] Groups - IPC WD-05 uploaded   Paul,   I am okay with most of the glossary additions/changes and changes to the descriptive text in the attributes.  I would prefer to keep “Agreement-Designator” instead of “IP-Agreement”, because language granting rights to IP resources often occurs outside an agreement which is solely about IP.  This is another reason why we need a “third-person” way of representing legal agreements in XACML, as you postulated earlier.    Responding to input from our last meeting, I have started WD-06 with a restructuring of the resource attributes.  I have also included “creator” and “rights” from Dublin Core, and referenced them as such.  I have removed “IP-Type” and “IP-Data”, and substituted Boolean data types for each of the top-level types, and string/date data types for the products of the former IP-Type x IP-Data matrix.    2.1 Resource Attributes 2.1.1 Copyright  (Boolean) 2.1.2 Copyright-Creator  (String) 2.1.3 Copyright-Registration  (String) 2.1.4 Patent  (Boolean) 2.1.5 Patent-Registration  (String) 2.1.6 Proprietary  (Boolean) 2.1.7 Public-Domain  (Boolean) 2.1.8 Trademark  (Boolean) 2.1.9 IP-Owner  (String) 2.1.10 IP-Designee  (String) 2.1.11 Agreement-Type  (String) 2.1.12 Agreement-Designator  (String) 2.1.13 Rights  (String) 2.1.14 Effective-Date  (Date) 2.1.15 Expiration-Date  (Date) 2.2 Subject Attributes 2.2.1 Organizational-Affiliation  (String) 2.2.2 Affiliation-Type  (String) 2.2.3 Agreement-Designator  (String)   I am interested in additional feedback on the idea of having separate effective/expiration date attributes for copyright, patent, and trademark registrations.   I believe these changes should aid understanding and simplify policy authoring.  I also believe that, while the structure of the profile has changed in the various iterations, the core concepts expressed have remained essentially the same, and that we are reasonably close to finalizing this profile for now.  I do not think we are standardizing too much.  The attribute list reflects a fairly broad and not industry/ country specific interpretation of how access to intellectual property resources can be governed.  Not every IP authorization decision will use every attribute listed.  Furthermore, I know that organizations will need to define additional attributes for their own internal purposes.  This profile establishes a baseline that can promote interoperability and can be used as a framework to advance the common framework for IP authorization decisions.   Thanks,   John     From: Tyson, Paul H [mailto:PTyson@bellhelicopter.textron.com] Sent: Thursday, November 03, 2011 8:25 AM To: Tolbert, John W; xacml@lists.oasis-open.org Subject: RE: [xacml] Groups - IPC WD-05 uploaded   I’m not through making comments, but I wanted to get this out for discussion.  I think we still have a ways to go on this.  My primary concern is not to standardize too much without sufficient motivation or evidence.   Regards, --Paul   From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of John Tolbert Sent: Friday, October 14, 2011 12:27 PM To: xacml@lists.oasis-open.org Subject: [xacml] Groups - IPC WD-05 uploaded   Submitter's message WD-05 contains sample requests and policies. -- Mr. John Tolbert Document Name : IPC WD-05 Description XACML Intellectual Property Controls profile, working draft 5 Download Latest Revision Public Download Link Submitter : Mr. John Tolbert Group : OASIS eXtensible Access Control Markup Language (XACML) TC Folder : Specifications and Working Drafts Date submitted : 2011-10-14 10:26:53