[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: DPM TEM XACML Slide Content
I just got approval to post the DHS slide content presented at the NSA sponsored Digital Policy Management (DPM) Technical Exchange Meeting (TEM) last Aug 21st regarding the use & assessment of XACML (see below).
DHS gave an unclassified briefing to DPM TEM on NIEM Cyber Information Sharing. The briefing outlined the "Use of XACML Standard for Policies" as follows:
·
XML Access Control Mark-Up Language (XACML) is key standard for interoperability
§
Version 3.0 expands the capabilities of XACML with new functions, new combining algorithms, and a new mechanism for user feedback (i.e., "advice”)
§
2.0 policies can be translated to 3.0 policies, but the reverse is not guaranteed (in cases where new 3.0 features are used, there is no translation)
·
Limited Vendor Support
§
Most vendors do not natively support XACML; Vendors that claim "XACML compliance" are typically able to communicate via the XACML request/reply messages
§
Not all vendors that claim "XACML compliance" are able to read/write XACML policies (which can seriously impact any centralized distribution of XACML policies)
§
3.0 is relatively new, so there is no standard request/reply transport protocol (the SAML 2.0 profile for XACML 2.0 has not been updated for 3.0)
§
Conformance testing performed to-date has exposed significant shortfalls in support for the required features of the XACML policy language
§
While there are optional features of the XACML policy language that are extremely attractive (e.g., XPath attribute selectors are a perfect fit for tagged XML data), to-date support
for these optional features has been found to be even more spotty than for the required features - Richard |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]