OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] Groups - Changes Since XACML 1.0(xacml_1.x_2.0_diffs_draft.doc) uploaded


More comments.  This is what Bill gets for following our advice and
creating an early draft of the changes at our insistence "because it is
relatively stable now" :-)  Hah, hah.  He should know better by now.

But thanks anyway, Bill.  This is a good starting point.

1. Digital Signature: since this was written, we pretty much stripped
the DSig Profile down to be a pointer to SAML's use of DSig, although we
did include some specific information about making XACML document
instances canonical enough for signing.  So I recommend rewording as
follows:

This Profile describes the use of the W3C XML-Signature Syntax and
Processing Standard to provide authentication and integrity protection
for XACML schema instances. Rather than introduce new elements or
features to XACML, this Profile recommends use of the OASIS Security
Assertion Markup Language and its use of XML Digital Signatures.  In
addition, this profile provides guidance on the canonicalization of
XACML schema instances.

2. As mentioned before, remove the LDAP profile section, as there is no
standard LDAP profile.

3. Privacy and RBAC: in both of these, XACML does not exactly
"introduce" the various new terms, since those are picked up from other
standards or regulations.  Perhaps: describes the use of XACML in the
context of the "custodian" and "owner" concepts (for privacy), and
...describes the use of XACML with the concepts of junior role,
multi-role permissions, RBAC, role, and senior role (for RBAC).

4. SAML Integration: "XACMLAuthorizationDecisionQuery" and
"XACMLAuthorizationDecisionStatement" were changed to
"XACMLAuthzDecisionQuery" and "XACMLAuthzDecisionStatement" to fit SAML
conventions.

5. I would include <VariableDefinition> along with <VariableReference>,
since they go together.

6. Functions: there is no "url-subtree-match" function.

7. Datatypes: there is no "xpath-expression" datatype.

Anne

bill@parducci.net wrote:
> This document slipped through the cracks when we were wrapping up XACML
> 2.0.  Bill sent me a copy, which I have entered into the repository.  I
> will post a link to it on our TC web page.  I hope we can all review it and
> have a vote on it at an upcoming TC meeting.
> 
>  -- Mr. Bill Parducci*
> 
> The document named Changes Since XACML 1.0 (xacml_1.x_2.0_diffs_draft.doc)
> has been submitted by Mr. Bill Parducci* to the OASIS eXtensible Access
> Control Markup Language (XACML) TC document repository.
> 
> Document Description:
> This document summarizes the changes made in XACML since XACML 1.0 that
> appear in the XACML 2.0 specification.
> 
> View Document Details:
> http://www.oasis-open.org/apps/org/workgroup/xacml/document.php?document_id=12821
> 
> Download Document:  
> http://www.oasis-open.org/apps/org/workgroup/xacml/download.php/12821/xacml_1.x_2.0_diffs_draft.doc
> 
> 
> PLEASE NOTE:  If the above links do not work for you, your email application
> may be breaking the link into two pieces.  You may be able to copy and paste
> the entire link address into the address field of your web browser.
> 
> -OASIS Open Administration

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]