RE: XACML TC FAQ. Forwarded message from Carol Geyer.

[Anne Anderson <Anne.Anderson@Sun.com>]

Carol Geyer at OASIS has proposed some edits to our draft FAQ.
Does anyone object to these changes?

The only one I am a bit unsure about is that the information
about joining as an "observer" versus as a "prospective member"
has been deleted (replaced with a pointer to the OASIS rules).
We always seem to have 4 or 5 "prospective members" on the roster
who never actually attend meetings.  I included the "observer"
versus "prospective member" information in an attempt to make it
more clear - perhaps the OASIS rules on membership are not clear
enough, or are too hard to find and read through, particularly
for someone who just wants to join the mailing list.

Anyway, I will go with Carol's edits unless TC members object.

Anne

------- start of forwarded message -------
From: "Carol Geyer" <carol.geyer@oasis-open.org>
To: <Anne.Anderson@sun.com>
Subject: RE: XACML TC FAQ
Date: Fri, 22 Aug 2003 17:10:17 -0400

Anne,
Thanks for preparing this. You've done a great job. I've made a few
edits--mainly just to apply some consistency in naming and voice. I did
cut out a few questions on the details of TC participation, since
they're posted elsewhere on the OASIS site. These are just suggestions,
so please feel free to let me know if I've changed anything you feel
strongly about. Otherwise, Sharon will create the FAQ page as soon as
she gets back from vacation on 2 Sept.

Have a great weekend,
Carol

OASIS XACML TC FAQ
1. What does the OASIS XACML Technical Committee do?
The OASIS XACML TC focuses on the development of a standard access
control policy language. "XACML" stands for "eXtensible Access Control
Markup Language". The full charter is at
http://www.oasis-open.org/committees/xacml/charter.php.

2. What is the need for such a standard?
Currently, there are many proprietary or application-specific access
control policy languages. This means policies cannot be shared across
different applications, and provides little incentive to develop good
policy composition tools. Many of the existing languages do not support
distributed policies, are not extensible, or are not expressive enough
to meet new requirements. XACML enables the use of arbitrary attributes
in policies, role-based access control, security labels, time/date-based
policies, indexable policies, "deny" policies, and dynamic policies--all
without requiring changes to the applications that use XACML. Adoption
of XACML across vendor and product platforms should provide the
opportunity for organizations to perform access and access policy audits
directly across such systems.

3. Who will benefit from XACML and how?
Every developer, user, or maintainer of applications that require secure
authorization will benefit.

4. What has the OASIS XACML TC produced to date?
In February of 2003, OASIS approved XACML Version 1.0 as an OASIS
Standard. In August of 2003, the OASIS XACML TC approved XACML Version
1.1 as an OASIS Committee Specification. The TC has not yet determined
whether this should advance to OASIS Standard (not because it is not
good enough, but because it contains only clarifications and minor
changes, and does not change the Version 1.0 schemas). Links to these
documents are available at
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.

5. How does this work compare with related efforts at other standards
organizations?
No other standard access control language written in XML currently
exists. The OASIS XACML TC is aware of several related efforts:
<bullet>The OASIS Security Services Technical Committee
<http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security>
has defined the Security Assertion Markup Language (SAML). XACML is an
outgrowth of work to support SAML's AuthorizationDecisionQuery protocol,
although XACML is not intended to be limited to use with that protocol.
There is currently a mismatch between the SAML 1.0 syntax and the XACML
1.0 Request syntax, although it is possible to reconcile them with an
XSLT. There are plans to resolve this in SAML 2.0.
<bullet>ISO 10181-3 defines an architecture for access control, but not
a language. In ISO 10181-3 terms, XACML 1.0 specifies an "Access Control
Decision Function" (ADF), and defines its interactions with an "Access
Control Enforcement Point" (AEF).
<bullet>The IETF and Distributed Management Task Force (DMTF) have
specified a framework for policies, but not a language. In IETF/DMTF
terms, XACML 1.0 defines a "Policy Decision Point" (PDP), and defines
its interactions with a "Policy Enforcement Point" (PEP).
<bullet>The Open Group has defined an Authorization (AZN) API, but not a
language for authorization policies themselves. The OASIS XACML TC does
not define an API, but is designed to work well with SAML
AuthorizationDecisionQuery and its related protocols.
<bullet>ANSI is currently in the process of standardizing a framework
and API for Role Based Access Control. The OASIS XACML TC is developing
an XACML Profile for Role Based Access Control that satisfies the
requirements of the proposed ANSI framework, although XACML does not map
easily onto the proposed API.
<bullet>The OASIS Rights Language TC
<http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=rights> is
currently discussing use cases and requirements that overlap with both
XACML and SAML.

6. What are the current activities of the OASIS XACML TC?
Pointers to current working drafts including XACML profiles for Web
services policy, XML Digital Signature, and Role Based Access Control
are posted at
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml. In
addition, the TC is working on major extensions that would go into XACML
2.0. Periodically, a list of the current work items under consideration
is posted to the OASIS XACML TC mailing list. There is not yet a
schedule for completion of these activities, but all are being actively
developed.

7. Where are the archives for the OASIS XACML TC mailing lists?
Publicly viewable archives are located at
http://lists.oasis-open.org/archives/xacml/. There is also a mailing
list of comments received, primarily during the public review period
leading up to the 1.1 standard, archived at
http://lists.oasis-open.org/archives/xacml-comment/.

8. Who should be involved in the OASIS XACML TC?
Anyone with an interest in access control, authorization, entitlement
and related policy issues, either willing to propose requirements or
contribute technically, should get involved. Existing OASIS members may
join the TC by following instructions posted at
http://www.oasis-open.org/committees/join.php. Non-members can find
information on joining the Consortium at
http://www.oasis-open.org/join/.

9. When does the OASIS XACML TC meet?
General body meetings are held by teleconference every other week.
Usually there is an informal Focus Group meeting on alternate weeks at
the same time, to delve into details on particular topics. The schedule
for meetings is located at
http://www.oasis-open.org/committees/calendar.php?wg_abbrev=xacml.





 -----Original Message-----
From: Anne Anderson [mailto:Anne.Anderson@Sun.com]
Sent: Thursday, August 21, 2003 3:26 PM
To: support@oasis-open.org
Cc: Anne.Anderson@Sun.com; Carol Geyer; XACML TC
Subject: XACML TC FAQ


OASIS XACML TC FAQ
currently under review by the XACML TC as of 21 August 2003
What is the XACML TC?
It is a Technical Committee of the OASIS standards organization focused
on development of a standard access control policy language. "XACML"
stands for "eXtensible Access Control Markup Language". The full charter
is at http://www.oasis-open.org/committees/xacml/charter.php.
What is the need for such a standard?
Currently, there are many proprietary or application-specific access
control policy languages. This means policies can not be shared across
different applications, and provides little incentive to develop good
policy composition tools. Many of the existing languages do not support
distributed policies, are not extensible, or are not expressive enough
to meet new requirements. XACML enables use of arbitrary attributes in
policies, role based access control, security labels, time/date-based
policies, indexable policies, "deny" policies, and dynamic policies, all
without requiring changes to the applications that use XACML. Adoption
of XACML across vendor and product platform should provide the
opportunity for organizations to perform access and access policy audits
directly across such system.
Who will benefit from this work and how?
Every developer, user, or maintainer of applications that require secure
authorization will benefit.
What has the XACML TC produced to date?
In February of 2003, OASIS approved XACML Version 1.0 as an OASIS
Standard. In August of 2003, the XACML TC approved XACML Version 1.1 as
an OASIS Committee Specification. The TC has not yet determined whether
this should advance to OASIS Standard (not because it is not good enough
:-), but because it contains only clarifications and minor changes, and
does not change the Version 1.0 schemas).
Links to these documents are available on the XACML TC public home page
at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml .
How does this work compare with related efforts at other standards
organizations?
No other standard access control language written in XML currently
exists. Related efforts include:
The OASIS Security Services Technical Committee has defined the Security
Assertion Markup Language (SAML). XACML is an outgrowth of work to
support SAML's AuthorizationDecisionQuery protocol, although is not
intended to be limited to use with that protocol. There is currently a
mismatch between the SAML 1.0 syntax and the XACML 1.0 Request syntax,
although it is possible to reconcile them with an XSLT. There are plans
to resolve this mismatch in SAML 2.0.
ISO 10181-3 defines an architecture for access control, but not a
language. In ISO 10181-3 terms, XACML 1.0 specifies an "Access Control
Decision Function" (ADF), and defines its interactions with an "Access
Control Enforcement Point" (AEF).
The IETF and Distributed Management Task Force (DMTF) have specified a
framework for policies, but not a language. In IETF/DMTF terms, XACML
1.0 defines a "Policy Decision Point" (PDP), and defines its
interactions with a "Policy Enforcement Point" (PEP).
The Open Group has defined an Authorization (AZN) API , but not a
language for authorization policies themselves. The XACML TC does not
define an API, but is designed to work well with SAML
AuthorizationDecisionQuery and its related protocols.
ANSI is currently in the process of standardizing a framework and API
for Role Based Access Control. The XACML TC is developing an XACML
Profile for Role Based Access Control that satisfies the requirements of
the proposed ANSI framework, although XACML does not map easily onto the
proposed API.
The OASIS Rights Language TC is currently discussing use cases and
requirements that overlap with both XACML and SAML. That group is
attempting to standardize ContentGuard's XrML language.
What are the current activities of the XACML TC?
There are pointers to our current working drafts on the XACML TC public
home page at
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml . These
include XACML profiles for web services policy, XML Digital Signature,
and Role Based Access Control.
In addition, the TC is working on major extensions to XACML that would
go into XACML 2.0. Periodically, a list of the current work items under
consideration is posted to the XACML TC mailing list.
There is not yet a schedule for completion of these activities, but all
being actively developed.
Where are the archives for the XACML TC mailing lists?
The archives are located at http://lists.oasis-open.org/archives/xacml/
. These are publicly viewable.
There is also a mailing list of comments received, primarily during the
public review period leading up to the 1.1 standard. This mailing list
is archived at http://lists.oasis-open.org/archives/xacml-comment/ .
Who should be involved in the XACML TC?
Anyone with an interest in access control, authorization, entitlement
and related policy issues, either willing to propose requirements or
contribute technically should get involved.
Who can join the XACML TC?
Anyone who is an individual member of OASIS or is from a company that is
an OASIS organization member may join.
What types of XACML TC membership exist?
We have "Prospective Members", "Voting Members", and "Observer" members.
Voting members start out as "Prospective Members". See for details .
Voting members must attend 2 out of every 3 bi-weekly meetings in order
to retain their voting status. Observers can participate fully in the
XACML mailing list discussions, but can not vote.
How do I join the XACML TC?
Send e-mail to one or both of the XACML TC Co-Chairs, requesting to
become either a "Prospective Member" or an "Observer". Please request
"Prospective Member" status only if you intend to attend bi-weekly XACML
TC meetings regularly, since non-participating members make it hard for
us to reach quorum at our meetings.
The co-chairs and their e-mail addresses are listed on the XACML TC
public home page at
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml .
When are the XACML TC meetings?
General Body meetings are held every other week. Usually there is an
informal Focus Group meeting on alternate weeks at the same time, used
to delve into particular topics in detail. The schedule for meetings is
located at
http://www.oasis-open.org/committees/calendar.php?wg_abbrev=xacml .
What if I want to participate in XACML e-mail discussions, but can't
attend bi-weekly meetings?
Individuals eligible to join the XACML TC may join the TC as
"observers". See How do I join the XACML TC? .
Anyone may submit e-mail to the XACML comments mailing list at
xacml-comment@lists.oasis-open.org .

------- end of forwarded message -------

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692