OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-dev] XACML and WS-Policy

XACML is designed for the traditional use of policy, i.e. to determine
if something conforms to policy or not. In the case of XACML it is to
determine if access should be allowed.

The WS-Policy family of policies, which includes Security Policy,
Reliable Messaging Policy, etc. are intended primarily for a different
purpose. They allow a Service to advertise what requirements a request
must meet to use the service. The intention is that a client can compare
what it is willing and able to do with what the Service requires and
produce messages which conform.

WS-SecurityPolicy is really not suitable as an enforceable access
control policy as it stands. For example, WS-SP can tell you that a
username token or X.509 token are required, but not what users with what
attributes will be allowed to perform specific functions.

There is work underway in the XACML TC to allow XACML policies to be
attached to WS Security Policies in order to provide finer grained
information. Anne Anderson has described this in a separate message.


> -----Original Message-----
> From: Wynn, Jackson E. [mailto:jwynn@mitre.org]
> Sent: Thursday, June 14, 2007 10:07 AM
> To: xacml-dev@lists.oasis-open.org
> Cc: Wynn, Jackson E.
> Subject: [xacml-dev] XACML and WS-Policy
> Hello,
> I'm trying to understand requirements for an integrated security
> language for web services that includes access control (XACML?), SOAP
> message security (WS-SecurityPolicy), message reliability
> (WS-ReliableMessaging), etc.
> XACML provides a generalized access control policy language. It is not
> designed is specifically for web services, but it can be used in that
> context, e.g., web service URL as a resource.
> WS-SecurityPolicy and WS-ReliableMessaging are designed specifically
> for web services, being extensions of the W3C WS-Policy specification.
> The WS-Policy specification includes generic framework elements and
> alternative methodologies for attaching policies to web services.
> Because they both extend WS-Policy, it is possible to combine elements
> from WS-SecurityPolicy and WS-ReliableMessaging into a single,
> integrated web service security policy.
> Given that XACML does not extend WS-Policy, it does not appear
> to embed XACML rules governing web service access control into the
> web service security policy describe above.
> Is this correct??
> If so, has the XACML TC considered the potential benefits of defining
> XACML subset, based on WS-Policy, that can be used specifically to
> enforce web service access??
> Thanks in advance,
> Jackson Wynn
> Lead Infosec Engineer - G026
> The MITRE Corporation
> Bedford, MA
> (781) 271-3419

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]