OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: XACML and WS-Policy

I'm trying to understand requirements for an integrated security policy
language for web services that includes access control (XACML?), SOAP
message security (WS-SecurityPolicy), message reliability
(WS-ReliableMessaging), etc.
XACML provides a generalized access control policy language. It is not
designed is specifically for web services, but it can be used in that
context, e.g., web service URL as a resource. 
WS-SecurityPolicy and WS-ReliableMessaging are designed specifically
for web services, being extensions of the W3C WS-Policy specification.
The WS-Policy specification includes generic framework elements and
alternative methodologies for attaching policies to web services.
Because they both extend WS-Policy, it is possible to combine elements
from WS-SecurityPolicy and WS-ReliableMessaging into a single,
integrated web service security policy.
Given that XACML does not extend WS-Policy, it does not appear possible
to embed XACML rules governing web service access control into the same
web service security policy describe above. 
Is this correct??
If so, has the XACML TC considered the potential benefits of defining a
XACML subset, based on WS-Policy, that can be used specifically to
enforce web service access??
Thanks in advance,
Jackson Wynn
Lead Infosec Engineer - G026
The MITRE Corporation
Bedford, MA 
(781) 271-3419

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]