Extensible Access Control Markup Language (XACML) Becomes an OASIS Open Standard
XACML Access Control Markup Language Ratified as OASIS Open Standard
Universal Language for Authorization Policy Enables Secure Web Services
Boston, MA, USA. February 18, 2003.
The OASIS interoperability consortium today announced that its members have approved the Extensible Access Control Markup Language (XACML) as an OASIS Open Standard, a status that signifies the highest level of ratification. XACML allows developers to express and enforce policies for information access over the Internet.
"XACML is designed to enable the interoperability of a broad range of administration and authorization products by providing a universal language for authorization policy. Its flexibility and features for supporting large scale, federated environments will literally set the standard for the next generation of authorization products," explained Hal Lockhart of BEA Systems, co-chair of the OASIS XACML Technical Committee.
"Policies applied consistently across environments and across vendor products is the cornerstone of good security," added Carlisle Adams of Entrust, co-chair of the OASIS XACML Technical Committee. "Coupled with secure mechanisms for carrying requester attributes -- such as SAML assertions, Java permissions, or WS-Security tokens -- XACML is a key component in an authorization infrastructure that can span Web services, J2SE, and other e-business environments."
The OASIS XACML specification was developed by Entrust, IBM, OpenNetwork, Quadrasis, Sterling Commerce, Sun Microsystems, and other members of the OASIS Extensible Access Control Markup Language Technical Committee.
Before becoming an OASIS Open Standard, XACML first completed an extensive public review and was approved by the OASIS XACML Technical Committee. Then, the specification demonstrated its readiness through multiple implementations, after which XACML was reviewed and approved by the OASIS membership as a whole.
"Ratification as an OASIS Open Standard means that developers can deploy XACML with confidence," said Karl Best, vice president of OASIS. "We congratulate and thank the members of the OASIS XACML Technical Committee for all their outstanding efforts in advancing XACML as the newest OASIS Open Standard."
XACML is the latest addition to the growing OASIS portfolio of security standards. It joins another recently approved OASIS Open Standard, the Security Assertion Markup Language (SAML), as well as emerging specifications advanced within OASIS such as WS-Security, Service Provisioning Markup Language (SPML), Digital Signature Services (DSS), and Public Key Infrastructure (PKI).
Industry Support for XACML
"The ratification of XACML as an OASIS Open Standard reaffirms OASIS' leadership in interoperable secuirty standards for XML," said Edward Cobb, VP of Architecture and Standards, BEA Systems. "XACML and SAML as completed standards, and in-process work such as WS-Security, are the foundation for securing eBusiness interactions. We congratulate the OASIS XACML Technical Committee on reaching this important milestone."
"DataPower applauds the OASIS XACML Technical Committee on their efforts to address a key part of the security area for distributed systems. Their common framework should greatly help accelerate the move away from proprietary systems and towards open networks. DataPower looks forward to suporting rich access control as defined by XACML in our XML-aware network devices," said Rich Salz, chief security architect at DataPower Technology Inc.
"As a leader in delivering enhanced Internet security solutions, Entrust is very proud to have played a role in the development of the XACML 1.0 specification, and we are pleased to see the overwhelming support it has received," said Brian O'Higgins, chief technology officer at Entrust, Inc. "XACML 1.0, in conjunction with the recently approved SAML standard, will provide critical functionality for a comprehensive authorization architecture. OASIS has taken yet another significant step forward in solving the Internet security puzzle."
"Sun believes that flexible and interoperable access control standards are critical for the future of network computing and for the development of secure Web services," said Mark Bauhaus, vice president of Java Web services at Sun. "That's why we have supported and continue to support the XACML standard. Sun announced today that we are releasing our XACML implementation under an Open Source license. This will help developers build secure Web services and enterprise applications, delivering cost savings and simplification to our customers."
OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, global consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. OASIS produces worldwide standards for security, Web services, XML conformance, business transactions, electronic publishing, topic maps and interoperability within and between marketplaces. Founded in 1993, OASIS has more than 2,000 participants representing over 600 organizations and individual members in 100 countries.
For more information:
Prepared by Robin Cover for The XML Cover Pages archive. See: (1) the complete news story "XACML 1.0 Specification Set Approved as an OASIS Standard"; (2) general references in "Extensible Access Control Markup Language (XACML)."