OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-comment] 60-day Public Review for REST Profile of XACML 3.0 - Conformance issues

Hemalie Narine

On Feb 9, 2018 6:34 PM, "Em Un" <knickers4u79@gmail.com> wrote:

Hemalie Narine

On Dec 18, 2017 7:36 PM, "Steven Legg" <steven.legg@viewds.com> wrote:

Hi Cyril,

On 19/12/2017 7:15 AM, DANGERVILLE Cyril wrote:

I would like some clarification from XACML TC on 2 issues I have with conformance clause *4.2.2 (Entry Point) of REST Profile*, to check whether our implementation could be considered compliant or not.

Here is my take on the entry point functionality:

The TC has decided to go with approach 1, which basically means you can do what
you like. That is answer enough, but read on if you would like a pedantic answer
to your questions.

Let’s say we provide a multi-tenant REST API where each tenant has a specific “single entry point” for its RESTful XACML system:

For tenant X, it would be:


For tenant Y, it would be:



My *first issue* is with the assertion */urn:oasis:names:tc:xacml:3.0:profile:rest:assertion:home:documentation/* which seems to say there should be a single entry point for the XACML system across the whole web server, whereas here there is one per tenant (or domain).

Have I got that wrong? Or *is this kind of multi-tenant API still compliant somehow?*

It says "system" not "web server", without being specific, so it is entirely up to
you what constitutes a system. Just regard X and Y as separate systems.

Now regarding my next issue, when one makes a GET request on https://az.example.com/domains/X , one would get a status code 200 with the following response payload (some content omitted):

<domain xmlns:atom="http://www.w3.org/2005/Atom">

   <atom:link rel="item" href="" title="Domain properties"/>

   <atom:link rel="item" href="" title="Policy Administration Point"/>


*   rel="http://docs.oasis-open.org/ns/xacml/relation/pdp"*

*   href="" title="Policy Decision Point"/>*


My *issue* then is with the last sentence of *2.2.1 Entry Point* which says:

/The XACML entry point representation that is returned SHOULD NOT contain anything other than links to other resources specified in this profile/.

(Side note: I would be interested to know why there should not be any other resource link btw.)

I don't know a reason. It seems unnecessary. In any case it is a SHOULD NOT, and
with no obvious reason for abiding by it any sensible reason to ignore it is good


However, the assertion */urn:oasis:names:tc:xacml:3.0:profile:rest:assertion:home:pdp /*does not mention that requirement again but simply says:

/                The XACML entry point representation SHOULD contain *a link *to the PDP./


In my case I have a link to some “/pap” resource besides the link to the “/pdp” (and some other things); so all in all, *would this be considered compliant in TC’s opinion?*

Thanks for any light on this.

Kind regards,



*Cyril Dangerville*

Security Engineer, CISSP

Thales Services


*From:*Chet Ensign [mailto:chet.ensign@oasis-open.org]
*Sent:* mardi 7 novembre 2017 21:12
*To:* tc-announce@lists.oasis-open.org <mailto:tc-announce@lists.oasis-open.org>; members@lists.oasis-open.org <mailto:members@lists.oasis-open.org>; xacml@lists.oasis-open.org <mailto:xacml@lists.oasis-open.org>; xacml-comment@lists.oasis-open.org <mailto:xacml-comment@lists.oasis-open.org>; idtrust-ms@lists.oasis-open.org <mailto:idtrust-ms@lists.oasis-open.org>
*Subject:* [xacml-comment] 60-day Public Review for REST Profile of XACML 3.0 and JSON Profile of XACML 3.0 COS01 - ends January 6th

OASIS Members and other interested parties,

Members of the OASIS eXtensible Access Control Markup Language (XACML) TC [1] have recently approved Special Majority Ballots [2] to advance REST Profile of XACML 3.0 Version 1.0 and JSON Profile of XACML 3.0 Version 1.0 as Candidate OASIS Standards (COSs). These COSs now enter a 60-day public review period in preparation for the member call for consent for OASIS Standards.

The REST Profile specification defines a profile for the use of XACML in a RESTful architecture. The TC received 4 Statements of Use from Oracle, EMC, Axiomatics, and NextLabs [3].

The JSON profile proposes a standardized interface between a policy enforcement point and a policy decision point using JSON, leveraging the decision request and response structure specified in the core XACML standard. The TC received 3 Statements of Use from ViewDS Identity Solutions, Axiomatics AB, and NextLabs [4].

The Candidate OASIS Standards are available at:

- REST Profile of XACML v3.0 Version 1.0

Candidate OASIS Standard 01

12 October 2017

Editable source (Authoritative):






- JSON Profile of XACML 3.0 Version 1.0

Candidate OASIS Standard 01

12 October 2017

Editable source (Authoritative):






ZIP distribution file (complete):

For your convenience, OASIS also provides ZIP files of each of the COS. You can obtain the ZIP files at:

REST Profile of XACML 3.0:


JSON Profile of XACML 3.0:


Public Review Period:

This 60-day public review starts 08 November 2017 at 00:00 UTC and ends 06 January 2017 at 23:59 UTC.

This is an open invitation to comment. OASIS solicits feedback from potential users, developers and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.

Additional information about the specification and the XACML TC may be found at the TC's public home page:


Comments may be submitted to the TC by any person through the use of the OASIS TC Comment Facility as explained in the instructions located via the button labeled "Send A Comment" at the top of the TC public home page, or directly at:


Comments submitted by TC non-members for this work and for other work of this TC are publicly archived and can be viewed at:


All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with these public reviews of “REST Profile of XACML 3.0 V1.0" and "JSON Profile of XACML 3.0 V1.0,” we call your attention to the OASIS IPR Policy [5] applicable especially [6] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member's patent, copyright, trademark and license rights that read on an approved OASIS specification.

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC's work.


[1] OASIS eXtensible Access Control Markup Language (XACML) TC


[2] Approval ballots:



[3] Statements of Use for REST Profile of XACML 3.0

Oracle: https://lists.oasis-open.org/archives/xacml/201304/msg00009.html

EMC Corp: https://lists.oasis-open.org/archives/xacml/201304/msg00010.html

Axiomatics: https://lists.oasis-open.org/archives/xacml/201305/msg00023.html

NextLabs: https://lists.oasis-open.org/archives/xacml/201708/msg00013.html

[4] Statements of Use for JSON Profile of XACML 3.0

ViewDS Identity Solutions: https://lists.oasis-open.org/archives/xacml/201707/msg00011.html

Axiomatics AB: https://lists.oasis-open.org/archives/xacml/201707/msg00014.html

NextLabs: https://lists.oasis-open.org/archives/xacml/201708/msg00013.html

[5] http://www.oasis-open.org/policies-guidelines/ipr

[6] http://www.oasis-open.org/committees/xacml/ipr.php


RF on Limited Terms Mode


Chet Ensign
Director of Standards Development and TC Administration
OASIS: Advancing open standards for the information society

Primary: +1 973-996-2298
Mobile: +1 201-341-1393

This publicly archived list offers a means to provide input to the
OASIS eXtensible Access Control Markup Language (XACML) TC.

In order to verify user consent to the Feedback License terms and
to minimize spam in the list archive, subscription is required
before posting.

Subscribe: xacml-comment-subscribe@lists.oasis-open.org
Unsubscribe: xacml-comment-unsubscribe@lists.oasis-open.org
List help: xacml-comment-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/xacml-comment/
Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
Join OASIS: http://www.oasis-open.org/join/

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]