[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] DPM TEM XACML Slide Content
We welcome input from all sources. However it should be noted that this bullet: § 3.0 is relatively new, so there is no standard request/reply transport protocol (the SAML 2.0 profile for XACML 2.0 has not been updated for 3.0) Is not correct or is based on some misunderstanding. The SAML Profile has been updated for 3.0 and is available here: http://docs.oasis-open.org/xacml/3.0/xacml-profile-saml2.0-v2-spec-cs-01-en.pdf It has been updated and is compatible with all versions including XACML 3.0. Further there has been interoperability testing (admittedly limited) of the request/response protocol (Chapter 4) at various public events. It is currently at the level of Committee Specification, lacking only one more statement of use to move to a vote as an OASIS Standard. There are in fact a number of implementations available. Also note that a JSON/REST combination format of the same request protocol has been implemented by a number of vendors, was publically demonstrated at RSA earlier this year and is approaching standardization in the form of two distinct profiles. Hal From: Hill, Richard C [mailto:Richard.C.Hill@boeing.com] I just got approval to post the DHS slide content presented at the NSA sponsored Digital Policy Management (DPM) Technical Exchange Meeting (TEM) last Aug 21st regarding the use & assessment of XACML (see below). DHS gave an unclassified briefing to DPM TEM on NIEM Cyber Information Sharing. The briefing outlined the "Use of XACML Standard for Policies" as follows: · XML Access Control Mark-Up Language (XACML) is key standard for interoperability § Version 3.0 expands the capabilities of XACML with new functions, new combining algorithms, and a new mechanism for user feedback (i.e., "advice”) § 2.0 policies can be translated to 3.0 policies, but the reverse is not guaranteed (in cases where new 3.0 features are used, there is no translation) · Limited Vendor Support § Most vendors do not natively support XACML; Vendors that claim "XACML compliance" are typically able to communicate via the XACML request/reply messages § Not all vendors that claim "XACML compliance" are able to read/write XACML policies (which can seriously impact any centralized distribution of XACML policies) § 3.0 is relatively new, so there is no standard request/reply transport protocol (the SAML 2.0 profile for XACML 2.0 has not been updated for 3.0) § Conformance testing performed to-date has exposed significant shortfalls in support for the required features of the XACML policy language § While there are optional features of the XACML policy language that are extremely attractive (e.g., XPath attribute selectors are a perfect fit for tagged XML data), to-date support for these optional features has been found to be even more spotty than for the required features - Richard |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]