MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Revised new XACML TC charter draft
Attached is a revised draft of the post-2.0-clarified XACML TC
charter. Changes include:
- inclusion of the original Statement of Purpose; after
examining it, I decided none of it needed to be deleted.
- slight rewording of Scope Item 2, last bullet: "Use of XACML
authorization policies with web service policies". This item
is intended to cover how XACML authorization policies will be
used in/with whatever the web services policy standard turns
out to be.
- updating the Deliverables and Completion Dates to include all
our completed deliverables and our proposed future ones.
Comments welcome.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
Title: Proposed post-2.0 XACML TC Charter
Proposed post-2.0 XACML TC Charter
Version: 1.6
Updated: 04/09/30 (yy/mm/dd)
Editor: Anne Anderson
The charter for this TC is as follows.
Name
eXtensible Access Control Markup Language - XACML
Statement of Purpose
The XACML Technical Committee will define a core XML schema
for representing authorization and entitlement policies, also
called XACML.
Policy Target
The target of a policy (hereafter referred to as "target") can
be any object that can be referenced using XML.
Protocols and Bindings
The XACML Technical Committee will identify bindings to
existing protocols (e.g., XPath, LDAP), and define new
protocols, if necessary, as means of accessing and
communicating the policies.
Scope
XACML is expected to address fine grained control of
authorized activities, the effect of characteristics of the
access requestor, the protocol over which the request is
made, authorization based on classes of activities, and
content introspection (i.e. authorization based on both the
requestor and potentially attribute values within the
target where the values of the attributes may not be known
to the policy writer). XACML is also expected to suggest a
policy authorization model to guide implementers of the
authorization mechanism.
Extensibility
XACML core schema is extensible for as yet unknown features.
Interoperability
The XACML Technical Committee will define interoperability of
XACML core schema with other standards. To ensure work is
not duplicated and standards adoption is as simple as
possible, XACML shall adopt as baseline documents the work
products of the Security Services Technical Committee
including but not limited to a Domain Model and
Glossary. Furthermore, Use Cases and Requirements documents
will share content that is common through normative
references. The XACML TC shall keep its work consistent
with the work of the Security Services TC by requesting
enhancements to, modifications of, and cross-references
from Security Services TC documents through a formal
liaison with the Security Services TC. This liaison will
include the regular sharing of deliverables and status
reports during teleconferences or at face-to-face
meetings.
Successfully Using the XACML Specification
XACML is an XML schema for representing authorization and
entitlement policies. However, it is important to note that
a compliant Policy Decision Point (PDP) may choose an
entirely different representation for its internal
evaluation and decision-making processes. That is, it is
entirely permissible for XACML to be regarded simply as a
policy interchange format, with any given implementation
translating the XACML policy to its own
local/native/proprietary/alternate policy language sometime
prior to evaluation.
A set of test cases (each test case consisting of a specific
XACML policy instance, along with all relevant inputs to
the policy decision and the corresponding PDP output
decision) will be devised and included on the XACML Web
site. These test cases are provided to assist implementers
in creating implementations that are conformant with the
XACML specification.
The XACML TC adopts the OASIS definition of "successfully
using" as described in its TC Process and IPR Policy
documents.
The XACML specification must make it possible for an XACML PDP
to be capable of accepting SAML conformant inputs and producing
SAML conformant outputs.
Scope
The XACML Technical Committee (TC) will define a core XML
schema for specifying access control policies, and schemas for
specifying authorization decision requests and responses. The
core specification will describe the semantics associated with
evaluation of these schemas. The initial schemas and semantics
specified in XACML Versions 1.0 and 1.1 will be updated based on
new experience and requirements in XACML Version 2.0.
The TC will specify extension schemas or profiles,
semantics, and usage models for the use of XACML in the following
domains or with the following standards:
- Security Assertion Markup Language (SAML)
- XML Digital Signature
- Use of XACML in expressing access controls related to privacy
- Delegation of access control rights.
- Delegation of authorization to manage XACML policies.
- Role based access control for separation of duty and
dynamic role assignment.
- Bindings to LDAP and SQL as means of accessing and
communicating policy and attribute information.
- Use of XACML authorization policies with web service policies
The TC MAY issue new versions of the core XACML
specifications if necessary to support the above profiles and
extensions, or to correct serious errors found in current
versions.
The TC MAY issue non-normative conformance tests to aid
developers and users of its specifications.
The TC MAY publish non-normative XACML implementer guides
and XACML tutorials related to deliverables of the TC.
Deliverables and Completion Dates
XACML 2.0 specification set:
- XACML 1.0 - OASIS Standard; February 2003 (completed)
- XACML 1.1 - Committee Draft; July 2003 (completed)
- RBAC profile 1.0 - Committee Draft; February 2004 (completed)
- XACML 2.0 - Committee Draft; September 2004
(completed)
- SAML 2.0 profile - Committee Draft; September 2004 (completed)
- XML Digital Signature profile - Committee Draft; September 2004 (completed)
- Privacy policy profile - Committee Draft; September 2004 (completed)
- Hierarchical Resource profile - Committee Draft; September 2004 (completed)
- Multiple Resource profile - Committee Draft; September 2004 (completed)
- Core and Hierarchical RBAC profile 1.1 - Committee Draft; September 2004 (completed)
- XACML 2.0 - OASIS Standard; January 2005
- SAML 2.0 profile - OASIS Standard; January 2005
- XML Digital Signature profile - OASIS Standard; January 2005
- Privacy policy profile - OASIS Standard; January 2005
- Hierarchical Resource profile - OASIS Standard; January 2005
- Multiple Resource profile - OASIS Standard; January 2005
- Core and Hierarchical RBAC profile 1.1 - OASIS Standard; January 2005
Additional specifications and schemas:
- Delegation and Policy Management profile - OASIS
Standard; December 2005
- Separation of Duty and Dynamic Role Assignment RBAC profile
- OASIS Standard; December 2005
- LDAP profile - OASIS Standard; December 2005
- SQL profile - OASIS Standard; December 2005
- Web services profile - OASIS Standard; December 2005
Anticipated Audience or Users
The audience is anyone needing an XML representation of
authorization decision requests, responses, policies; anyone
needing to use, evaluate, or manage such policies.
Language for Conducting Business
The TC will conduct its business in English.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]