xacml message

Subject: [xacml] Crypto-security policy in XACML

From: Tim Moses <tim.moses@entrust.com>
To: 'XACML' <xacml@lists.oasis-open.org>
Date: Wed, 19 Feb 2003 10:56:39 -0500

Title: Crypto-security policy in XACML

Colleagues - Just by way of illustration, here is one way of expressing a cryptographic security policy in XACML.

It says ... you must use either 1024-bit RSA with SHA-1 or 2048-bit Diffie-Hellman and either Triple-DES or 128-bit AES and you must encrypt the contents of the patientName, patientContact and parentGuardian elements and you must not encrypt the contents of the patient-number element.

I expect you can imagine how signature requirements could be expressed.

This policy would be used by the end-point to which it applies in order to decide whether it should accept an incoming message and by the user of the end-point to help it form a message that would be acceptable to the end-point.

End-points that have a service description could associate this policy with the appropriate "wsdl:operation" element in the service description. End-points that do not have a service description could transfer the policy in a SOAP "wsse:security" header.

All the best. Tim.

<?xml version="1.0" encoding="UTF-8"?>
<Condition xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy

D:\MYDATA~1\Standards\xacml\OS\cs-xacml-schema-policy-01.xsd" FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
                        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                                <ResourceAttributeDesignator AttributeId="wssqop:key-management-algorithm" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>

                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
                        xenc#tripledes-cbc
                        wssqop:aes128-cbc
                </AttributeValue>
        </Apply>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-superset">
                <ResourceAttributeDesignator AttributeId="wssqop:encryption-scope" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>

                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
                        //record/patient/patientName/
                        //record/patient/patientContact/
                        //record/parentGuardian/
                </AttributeValue>
        </Apply>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:nott">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-superset">
                        <ResourceAttributeDesignator AttributeId="wssqop:encryption-scope" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>

                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
                                //record/patient/patient-number
                        </AttributeValue>
                </Apply>
        </Apply>
</Condition>
-----------------------------------------------------------------
Tim Moses
613.270.3183