RSA 2014 OASIS Demo Proposal

This is in response to the OASIS call for RSA 2014 Interop commitments in which John Tolbert and I would like to propose the following:

As many of you know OASIS is working on an agreement with the Trusted Computing Group (TCG) organization’s Trusted Network Connect (TNC) to collaborate on a couple of OASIS XACML profiles for network access control. We hope to have one or both XACML profiles in working draft state this year for:

1.) Metadata Access Points (MAP), which automatically aggregates, correlates, and distributes data to and from IF-MAP enabled systems on the network regarding the state of devices and their users. The MAP Authorization profile can be used to show how XACML attributes, policies and PDPs can be used to control what operations MAP clients can execute upon the content of a MAP Server.

2.) The TNC architecture contains elements called “flow controllers”, such as firewalls. For example, if a firewall encounters an unknown IP address it could make a policy decision based on information from a MAP server pertaining to the device at that IP and the person using it. An XACML profile for flow controllers can specify how XACML attributes, policies and PDPs can be used to make these types of network flow decisions.

TNC hopes to have their MAP Content Authorization spec public soon to coincide with the XACML MAP Authorization profile and companies such as Juniper and Infobox may have network products implementing the TNC spec ready (at least for demo purposes) before the end of the year. If everything on both the TCG TNC and OASIS side’s line up, we think this would make a great RSA 2014 OASIS XACML – TNC IF-MAP interop demonstration for next year.

At this point it is still too early to make solid commitments, but I think it’s a good possibility.

- Richard Hill

xacml message