The OASIS Extensible Access Control Markup Language (XACML) TC has published a draft XACML XML DSig Profile specifying the use of the W3C XML-Signature Syntax and Processing Standard in providing authentication and integrity protection for XACML schema instances -- policies, authorization decision requests, and authorization decision responses. The draft profile attempts to be consistent with the SAML profile wherever possible. A normative section of the draft profile specifies guidelines for the construction of XACML schema instances that are to be signed. These guidelines apply to XMLDSig digital signatures as well as to other digital signature formats. Another section describes the formats for an XMLDSig <Reference> element that references an XACML schema instance. The OASIS XACML TC has been chartered to "define a core schema and corresponding namespace for the expression of authorization policies in XML against objects that are themselves identified in XML."

Bibliographic Information

OASIS XACML XML DSig Profile. Technical Committee Working draft. Version 0.2. 14-March-2003. Produced by the OASIS Extensible Access Control Markup Language (XACML) TC. Edited by Anne Anderson (Sun Microsystems). 31 pages.

(Draft) OASIS XACML XML DSig Profile Introduction

Proper use of digital signatures can provide authentication and integrity protection for XACML schema instances. XACML [Version 1.0, Revision 1] Sections 9.2.1 Authentication and 9.2.4 Policy integrity describe requirements and considerations for such authentication and integrity protection.

This document provides a profile for use of the W3C XML-Signature Syntax and Processing Standard in protecting OASIS eXtensible Access Control Markup Language (XACML) schema instances. Section 2 of this document defines terms used in the remainder of the document. Section 3 provides background information on terms and concepts associated with digital signatures and with XMLDSig in particular . Section 4 specifies guidelines for the construction of XACML schema instances that are to be signed. The guidelines in Section 4 apply to XMLDSig digital signatures as well as to other digital signature formats. Section 5 describes the formats for an XMLDSig <Reference> element that references an XACML schema instance. Only Sections 4 and 5 are normative.

This profile assumes that the XACML schema instance being signed is embedded inside of or referenced from another data object that provides information about the signer, the validity period, and other information required to make a digital signature useful: such a data object will contain or be associated with the actual digital signature that covers the XACML schema instance. This profile does not define the format for such an enclosing or referencing data object. One appropriate format that has been defined elsewhere is a SAML Assertion.

This profile should be followed when designing or using protocols that will involve the transmission of XACML Policy, PolicySet, Request, and Response instances over insecure channels. Consistent use of this profile will increase the portability and interoperability of signed data object fragments, as well as ensuring that digital signatures are being used in a way that provides the intended levels of protection.

XACML Implementations

"Various developers have implemented XACML code; some of these implementations are publicly available for download..."

• Jiffy Software. jiffyXACML: An access control engine designed to support the OASIS XACML standard
• Sun's XACML Implementation. See "Sun Microsystems Releases Open Source XACML Implementation for Access Control and Security."
• Working Draft of Implementor's Guide