[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Crypto-security policy in XACML
Colleagues - Just by way of illustration, here is one way of expressing a cryptographic security policy in XACML.
It says ... you must use either 1024-bit RSA with SHA-1 or 2048-bit Diffie-Hellman and either Triple-DES or 128-bit AES and you must encrypt the contents of the patientName, patientContact and parentGuardian elements and you must not encrypt the contents of the patient-number element.
I expect you can imagine how signature requirements could be expressed.
This policy would be used by the end-point to which it applies in order to decide whether it should accept an incoming message and by the user of the end-point to help it form a message that would be acceptable to the end-point.
End-points that have a service description could associate this policy with the appropriate "wsdl:operation" element in the service description. End-points that do not have a service description could transfer the policy in a SOAP "wsse:security" header.
All the best. Tim.
<?xml version="1.0" encoding="UTF-8"?>
<Condition xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy
D:\MYDATA~1\Standards\xacml\OS\cs-xacml-schema-policy-01.xsd" FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<ResourceAttributeDesignator AttributeId="wssqop:key-management-algorithm" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
Ds#rsa-sha1
</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<ResourceAttributeDesignator AttributeId="wssqop:minimum-key-size" DataType="http://www.w3.org/2001/XMLSchema#integer"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">
1024
</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<ResourceAttributeDesignator AttributeId="wssqop:key-management-algorithm" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
xenc#dh
</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<ResourceAttributeDesignator AttributeId="wssqop:minimum-key-size" DataType="http://www.w3.org/2001/XMLSchema#integer"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">
2048
</AttributeValue>
</Apply>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-subset">
<ResourceAttributeDesignator AttributeId="wssqop:data-encryption-algorithm" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
xenc#tripledes-cbc
wssqop:aes128-cbc
</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-superset">
<ResourceAttributeDesignator AttributeId="wssqop:encryption-scope" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
//record/patient/patientName/
//record/patient/patientContact/
//record/parentGuardian/
</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:nott">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-superset">
<ResourceAttributeDesignator AttributeId="wssqop:encryption-scope" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
//record/patient/patient-number
</AttributeValue>
</Apply>
</Apply>
</Condition>
-----------------------------------------------------------------
Tim Moses
613.270.3183
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC