[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-dev] XACML and WS-Policy
XACML is designed for the traditional use of policy, i.e. to determine if something conforms to policy or not. In the case of XACML it is to determine if access should be allowed. The WS-Policy family of policies, which includes Security Policy, Reliable Messaging Policy, etc. are intended primarily for a different purpose. They allow a Service to advertise what requirements a request must meet to use the service. The intention is that a client can compare what it is willing and able to do with what the Service requires and produce messages which conform. WS-SecurityPolicy is really not suitable as an enforceable access control policy as it stands. For example, WS-SP can tell you that a username token or X.509 token are required, but not what users with what attributes will be allowed to perform specific functions. There is work underway in the XACML TC to allow XACML policies to be attached to WS Security Policies in order to provide finer grained information. Anne Anderson has described this in a separate message. Hal > -----Original Message----- > From: Wynn, Jackson E. [mailto:jwynn@mitre.org] > Sent: Thursday, June 14, 2007 10:07 AM > To: xacml-dev@lists.oasis-open.org > Cc: Wynn, Jackson E. > Subject: [xacml-dev] XACML and WS-Policy > > Hello, > > I'm trying to understand requirements for an integrated security policy > language for web services that includes access control (XACML?), SOAP > message security (WS-SecurityPolicy), message reliability > (WS-ReliableMessaging), etc. > > XACML provides a generalized access control policy language. It is not > designed is specifically for web services, but it can be used in that > context, e.g., web service URL as a resource. > > WS-SecurityPolicy and WS-ReliableMessaging are designed specifically > for web services, being extensions of the W3C WS-Policy specification. > The WS-Policy specification includes generic framework elements and > alternative methodologies for attaching policies to web services. > Because they both extend WS-Policy, it is possible to combine elements > from WS-SecurityPolicy and WS-ReliableMessaging into a single, > integrated web service security policy. > > Given that XACML does not extend WS-Policy, it does not appear possible > to embed XACML rules governing web service access control into the same > web service security policy describe above. > > Is this correct?? > > If so, has the XACML TC considered the potential benefits of defining a > XACML subset, based on WS-Policy, that can be used specifically to > enforce web service access?? > > > Thanks in advance, > > Jackson Wynn > Lead Infosec Engineer - G026 > The MITRE Corporation > Bedford, MA > > (781) 271-3419 >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]