The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
SEARCH | ABOUT | INDEX | NEWS | CORE STANDARDS | TECHNOLOGY REPORTS | EVENTS | LIBRARY
SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

NEWS
Cover Stories
Articles & Papers
Press Releases

CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG

TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps

EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic
Created: March 28, 2003.
News: Cover StoriesPrevious News ItemNext News Item

XACML XML DSig Profile Supports Authentication of XACML Schema Instances.

The OASIS Extensible Access Control Markup Language (XACML) TC has published a draft XACML XML DSig Profile specifying the use of the W3C XML-Signature Syntax and Processing Standard in providing authentication and integrity protection for XACML schema instances -- policies, authorization decision requests, and authorization decision responses. The draft profile attempts to be consistent with the SAML profile wherever possible. A normative section of the draft profile specifies guidelines for the construction of XACML schema instances that are to be signed. These guidelines apply to XMLDSig digital signatures as well as to other digital signature formats. Another section describes the formats for an XMLDSig <Reference> element that references an XACML schema instance. The OASIS XACML TC has been chartered to "define a core schema and corresponding namespace for the expression of authorization policies in XML against objects that are themselves identified in XML."

Bibliographic Information

OASIS XACML XML DSig Profile. Technical Committee Working draft. Version 0.2. 14-March-2003. Produced by the OASIS Extensible Access Control Markup Language (XACML) TC. Edited by Anne Anderson (Sun Microsystems). 31 pages.

(Draft) OASIS XACML XML DSig Profile Introduction

Proper use of digital signatures can provide authentication and integrity protection for XACML schema instances. XACML [Version 1.0, Revision 1] Sections 9.2.1 Authentication and 9.2.4 Policy integrity describe requirements and considerations for such authentication and integrity protection.

This document provides a profile for use of the W3C XML-Signature Syntax and Processing Standard in protecting OASIS eXtensible Access Control Markup Language (XACML) schema instances. Section 2 of this document defines terms used in the remainder of the document. Section 3 provides background information on terms and concepts associated with digital signatures and with XMLDSig in particular . Section 4 specifies guidelines for the construction of XACML schema instances that are to be signed. The guidelines in Section 4 apply to XMLDSig digital signatures as well as to other digital signature formats. Section 5 describes the formats for an XMLDSig <Reference> element that references an XACML schema instance. Only Sections 4 and 5 are normative.

This profile assumes that the XACML schema instance being signed is embedded inside of or referenced from another data object that provides information about the signer, the validity period, and other information required to make a digital signature useful: such a data object will contain or be associated with the actual digital signature that covers the XACML schema instance. This profile does not define the format for such an enclosing or referencing data object. One appropriate format that has been defined elsewhere is a SAML Assertion.

This profile should be followed when designing or using protocols that will involve the transmission of XACML Policy, PolicySet, Request, and Response instances over insecure channels. Consistent use of this profile will increase the portability and interoperability of signed data object fragments, as well as ensuring that digital signatures are being used in a way that provides the intended levels of protection.

XACML Implementations

"Various developers have implemented XACML code; some of these implementations are publicly available for download..."


Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation

Primeton

XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Bottom Globe Image

Document URI: http://xml.coverpages.org/ni2003-03-28-b.html  —  Legal stuff
Robin Cover, Editor: robin@oasis-open.org