[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Draft response to NIST 800-162
These look good to me. Here are links for: GeoXACML http://www.opengeospatial.org/standards/geoxacml TSCP BAILS http://www.tscp.org/assets/TSCP_BAILSv1.pdf Can’t we also cite TCG IF-MAP? We could reference either the new draft Profile or some document at TCG. Hal From: Tolbert, John W [mailto:john.w.tolbert@boeing.com] The OASIS XACML Technical Committee suggests the following changes for the public review draft of NIST SP800-162 / ABAC: Section 2 (ABAC): “Unfortunately, without a formal definition and implementation guidance, the user and technology communities started implementing ABAC solutions and defining new versions of advanced access control models based upon the XACML model without a common understanding or definition of ABAC.” Replace with “Many XACML conformant solutions exist today. All share the same basic functionality, adherence to the ABAC model defined by XACML 3.0 core (http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf), and utilize the definitions contained therein.” Sections 3.2.2.12 and 3.2.3.3: Both of these sections seem to overlook the fact that industry and use-case-specific groupings of attributes are available today. These address the implied gap in object metadata and attribute mapping standards. We believe that the NIST SP 800-162 should acknowledge and recommend the use of domain specific attribute taxonomies, such as: · XACML EC-US (http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/cs02/xacml-3.0-ec-us-v1.0-cs02.pdf) · XACML IPC (http://docs.oasis-open.org/xacml/3.0/ipc/v1.0/cs02/xacml-3.0-ipc-v1.0-cs02-en.pdf) · XACML XSPA (http://docs.oasis-open.org/xacml/xspa/v1.0/xacml-xspa-1.0-os.pdf) · GeoXACML · TSCP BAILS Section 3.2.1.5: The XACML TC believes that the “Status”, associated “Status” elements, “Advice”, and associated “Advice” elements within XACML 3.0 meet the requirements and perceived gap implied in this section, Processes and Procedures for Object Access and Authorization Service Failures. For more information, see the following sections of XACML 3.0 core (http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf): · Status, section 5.54 · Status code, section 5.55 · Status message, section 5.56 · Status detail, section 5.57 · Status codes, section B.8 · Advice, section 5.35 · Advice expressions, section 5.38 · Advice _expression_, section 5.40 · Associated advice, section 5.33 Section 3.2.2.1: Replace “Implementers of ABAC should strongly consider using a comprehensive standards-based approach that enables current day interoperability and future deployment flexibility by making use of products or capabilities that are built upon widely accepted standards and that employ commonly used interoperability enablers (such as XACML) endorsed by large enterprises” with “Implementers of ABAC should strongly consider using the XACML reference architecture and policy language, as they provide a comprehensive, standards-based approach that enables current day interoperability and future deployment flexibility, by making use of products and capabilities that are built upon the widely accepted standard and that employ commonly used interoperability enablers endorsed by large enterprises.” |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]