[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Comments from the OASIS XACML Technical Committee on NIST SP 800-162
Vincent Hu National Institute of Standards and Technology Dear Sir: The OASIS XACML Technical Committee voted to provide the following comments to NIST. We suggest the following changes for the public review draft of NIST SP800-162 / ABAC: Section 2 (ABAC): "Unfortunately, without a formal definition and implementation guidance, the user and technology communities started implementing ABAC solutions and defining new versions of advanced access control models based upon the XACML model without a common understanding or definition of ABAC." Replace with "Many XACML conformant solutions exist today. All share the same basic functionality, adherence to the ABAC model defined by XACML 3.0 core (http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf), and utilize the definitions contained therein." Sections 3.2.2.12 and 3.2.3.3: Both of these sections seem to overlook the fact that industry and use-case-specific groupings of attributes are available today. These address the implied gap in object metadata and attribute mapping standards. We believe that the NIST SP 800-162 should acknowledge and recommend the use of domain specific attribute taxonomies, such as: . XACML EC-US (http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/cs02/xacml-3.0-ec-us-v1.0-cs02.pdf) . XACML IPC (http://docs.oasis-open.org/xacml/3.0/ipc/v1.0/cs02/xacml-3.0-ipc-v1.0-cs02-en.pdf) . XACML XSPA (http://docs.oasis-open.org/xacml/xspa/v1.0/xacml-xspa-1.0-os.pdf) . XACML/TCG MAP Authorization (https://www.oasis-open.org/apps/org/workgroup/xacml/download.php/49017/xacml-3_0-map-authz-v1_0-spec-wd-01-en.doc) . GeoXACML (http://www.opengeospatial.org/standards/geoxacml) . TSCP BAILS (http://www.tscp.org/assets/TSCP_BAILSv1.pdf) Section 3.2.1.5: The XACML TC believes that the "Status", associated "Status" elements, "Advice", and associated "Advice" elements within XACML 3.0 meet the requirements and perceived gap implied in this section, Processes and Procedures for Object Access and Authorization Service Failures. For more information, see the following sections of XACML 3.0 core (http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf): . Status, section 5.54 . Status code, section 5.55 . Status message, section 5.56 . Status detail, section 5.57 . Status codes, section B.8 . Advice, section 5.35 . Advice expressions, section 5.38 . Advice expression, section 5.40 . Associated advice, section 5.33 Section 3.2.2.1: Replace "Implementers of ABAC should strongly consider using a comprehensive standards-based approach that enables current day interoperability and future deployment flexibility by making use of products or capabilities that are built upon widely accepted standards and that employ commonly used interoperability enablers (such as XACML) endorsed by large enterprises" with "Implementers of ABAC should strongly consider using the XACML reference architecture and policy language, as they provide a comprehensive, standards-based approach that enables current day interoperability and future deployment flexibility, by making use of products and capabilities that are built upon the widely accepted standard and that employ commonly used interoperability enablers endorsed by large enterprises." Hal Lockhart Bill Parducci Co-chairs OASIS XACML TC
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]