Internet DRAFT - draft-sinnema-xacml-media-type
draft-sinnema-xacml-media-type
Network Working Group R. Sinnema
Internet-Draft E. Wilde
Intended status: Informational EMC Corporation
Expires: March 16, 2014 September 12, 2013
eXtensible Access Control Markup Language (XACML) XML Media Type
draft-sinnema-xacml-media-type-06
Abstract
This specification registers an XML-based media type for the
eXtensible Access Control Markup Language (XACML).
Note to Readers
This draft should be discussed on the apps-discuss mailing list [1].
Online access to all versions and files is available on github [2].
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 16, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Sinnema & Wilde Expires March 16, 2014 [Page 1]
�
Internet-Draft XACML XML Media Type September 2013
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 3
2.1. XACML Media Type application/xacml+xml . . . . . . . . . . 3
3. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
4. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. From -05 to -06 . . . . . . . . . . . . . . . . . . . . . . 6
4.2. From -04 to -05 . . . . . . . . . . . . . . . . . . . . . . 7
4.3. From -03 to -04 . . . . . . . . . . . . . . . . . . . . . . 7
4.4. From -02 to -03 . . . . . . . . . . . . . . . . . . . . . . 7
4.5. From -01 to -02 . . . . . . . . . . . . . . . . . . . . . . 7
4.6. From -00 to -01 . . . . . . . . . . . . . . . . . . . . . . 7
4.7. Versions prior to I-D -00 . . . . . . . . . . . . . . . . . 7
5. Normative References . . . . . . . . . . . . . . . . . . . . . 7
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9
Sinnema & Wilde Expires March 16, 2014 [Page 2]
�
Internet-Draft XACML XML Media Type September 2013
1. Introduction
The eXtensible Access Control Markup Language (XACML) [XACML-3]
defines an architecture and a language for access control
(authorization). The language consists of requests, responses, and
policies. Clients sends a request to a server to query whether a
given action should be allowed. The server evaluates the request
against the available policies and returns a reponse. The policies
implement the organization's access control requirements.
2. IANA Considerations
This specification registers an XML-based media type for the
eXtensible Access Control Markup Language (XACML) that will be
registered with the Internet Assigned Numbers Authority (IANA)
following the "Media Type Specifications and Registration Procedures"
[RFC6838]. The XACML media type represents an XACML request,
response, or policy in the XML-based format defined by the core XACML
specification [XACML-3].
2.1. XACML Media Type application/xacml+xml
This specification requests the registration of an XML-based media
type for the eXtensible Access Control Markup Language (XACML).
2.1.1. Media Type Name
application
2.1.2. Subtype Name
xacml+xml
2.1.3. Required Parameters
none
2.1.4. Optional Parameters
charset: The charset parameter is the same as the charset parameter
of application/xml [RFC3023], including the same default (see section
3.2).
version: The version parameter indicates the version of the XACML
specification. It can be used for content negotiation when dealing
with clients and servers that support multiple XACML versions. Its
range is the range of published XACML versions. As of this writing
Sinnema & Wilde Expires March 16, 2014 [Page 3]
�
Internet-Draft XACML XML Media Type September 2013
that is: 1.0 [XACML-1], 1.1 [XACML-1.1], 2.0 [XACML-2], and 3.0
[XACML-3]. These and future version identifiers must follow the
OASIS patterns for versions [OASIS-Version]. If this parameter is
not specified by the client, the server is free to return any version
it deems fit. If a client cannot or does not want to deal with that,
it should explicitly specify a version.
2.1.5. Encoding Considerations
Same as for application/xml [RFC3023].
2.1.6. Security Considerations
Per their specification, application/xacml+xml typed objects do not
contain executable content. However, these objects are XML-based,
and thus they have all of the general security considerations
presented in section 10 of RFC 3023 [RFC3023].
XACML [XACML-3] contains information whose integrity and authenticity
is important - identity provider and service provider public keys and
endpoint addresses, for example. Sections "9.2.1 Authentication" and
"9.2.4 Policy Integrity" in XACML [XACML-3] describe requirements and
considerations for such authentication and integrity protection.
To counter potential issues, the publisher may sign application/
xacml+xml typed objects. Any such signature should be verified by
the recipient of the data - both as a valid signature, and as being
the signature of the publisher. The XACML v3.0 XML Digital Signature
Profile [XACML-3-DSig] describes how to use XML-based digital
signatures with XACML.
Additionally, various of the possible publication protocols, for
example HTTPS, offer means for ensuring the authenticity of the
publishing party and for protecting the policy in transit.
2.1.7. Interoperability Considerations
Different versions of XACML use different XML namespace URIS:
o 1.0 & 1.1 use the urn:oasis:names:tc:xacml:1.0:policy XML
namespace URI for policies, and the
urn:oasis:names:tc:xacml:1.0:context XML namespace URI for
requests and responses
o 2.0 uses the urn:oasis:names:tc:xacml:2.0:policy XML namespace URI
for policies, and the urn:oasis:names:tc:xacml:2.0:context XML
namespace URI for requests and responses
Sinnema & Wilde Expires March 16, 2014 [Page 4]
�
Internet-Draft XACML XML Media Type September 2013
o 3.0 uses the urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 XML
namespace URI for policies, requests, and responses
Signed XACML has a wrapping SAML 2.0 assertion [SAML-2], which uses
the urn:oasis:names:tc:SAML:2.0:assertion namespace URI.
Interoperability with SAML is defined by the SAML 2.0 Profile of
XACML [XACML-3-SAML] for all versions of XACML.
2.1.8. Applications which use this media type
Potentially any application implementing or using XACML, as well as
those applications implementing or using specifications based on
XACML. In particular, applications using the REST Profile
[XACML-REST] can benefit from this media type.
2.1.9. Magic number(s)
In general, the same as for application/xml [RFC3023]. In
particular, the XML document element of the returned object will be
one of xacml:Policy, xacml:PolicySet, context:Request, or context:
Response. The xacml and context namespace prefixes bind to the
respective namespaces URIs for the various versions of XACML as
follows:
o 1.0 & 1.1: The xacml prefix maps to
urn:oasis:names:tc:xacml:1.0:policy, the context prefix maps to
urn:oasis:names:tc:xacml:1.0:context
o 2.0: The xacml prefix maps to urn:oasis:names:tc:xacml:2.0:policy,
the context prefix maps to urn:oasis:names:tc:xacml:2.0:context
o 3.0: Both the xacml and context prefixes map to the namespace URI
urn:oasis:names:tc:xacml:3.0:core:schema:wd-17
For signed XACML [XACML-3-DSig], the XML document element is saml:
Assertion, where the saml prefix maps to the SAML 2.0 namespace URI
urn:oasis:names:tc:SAML:2.0:assertion [SAML-2]
2.1.10. File extension(s)
none
2.1.11. Macintosh File Type Code(s)
none
Sinnema & Wilde Expires March 16, 2014 [Page 5]
�
Internet-Draft XACML XML Media Type September 2013
2.1.12. Person & email address to contact for further information
This registration is made on behalf of the OASIS eXtensible Access
Control Markup Language Technical Committee (XACMLTC). Please refer
to the XACMLTC website for current information on committee
chairperson(s) and their contact addresses:
http://www.oasis-open.org/committees/xacml/. Committee members
should submit comments and potential errata to the
xacml@lists.oasis-open.org list. Others should submit them by
filling out the web form located at http://www.oasis-open.org/
committees/comments/form.php?wg_abbrev=xacml.
Additionally, the XACML developer community email distribution list,
xacml-dev@lists.oasis-open.org, may be employed to discuss usage of
the application/xacml+xml MIME media type. The xacml-dev mailing
list is publicly archived here:
http://www.oasis-open.org/archives/xacml-dev/. To post to the xacml-
dev mailing list, one must subscribe to it. To subscribe, visit the
OASIS mailing list page at http://www.oasis-open.org/mlmanage/.
2.1.13. Intended Usage
Common
2.1.14. Author/Change Controller
The XACML specification sets are a work product of the OASIS
eXtensible Access Control Markup Language Technical Committee
(XACMLTC). OASIS and the XACMLTC have change control over the XACML
specification sets.
3. Security Considerations
The security considerations for this specifications are described in
Section 2.1.6 of the media type registration.
4. Change Log
Note to RFC Editor: Please remove this section before publication.
4.1. From -05 to -06
o Minor changes in wording.
Sinnema & Wilde Expires March 16, 2014 [Page 6]
�
Internet-Draft XACML XML Media Type September 2013
4.2. From -04 to -05
o Incorporating feedback from Oscar Koeroo (ISE review report).
4.3. From -03 to -04
o Creating a proper "IANA Considerations" section.
o Creating a proper "Security Considerations" section.
4.4. From -02 to -03
o Switched category from "std" to "info".
4.5. From -01 to -02
o Added new introduction text.
o Improved definition of version numbers and their handling.
4.6. From -00 to -01
o Added new introduction text.
o Changed reference from RFC 4288 to RFC 6838 (updated RFC for media
type registrations).
4.7. Versions prior to I-D -00
Prior to being published as a I-D document, this document was
published and revised as an OASIS document with the following
versions:
o 2012-02-29 (WD01): Initial revision with one media type.
o 2012-04-23 (WD02): Added JSON media type.
o 2012-04-24 (WD03): Fixed layout, typos, and references. Better
defined the allowable range of values for the version parameter.
5. Normative References
[OASIS-Version]
Organization for the Advancement of Structured Information
Standards, "OASIS Naming Directives 1.3", December 2012, <
http://docs.oasis-open.org/specGuidelines/ndr/
namingDirectives.html#Version>.
Sinnema & Wilde Expires March 16, 2014 [Page 7]
�
Internet-Draft XACML XML Media Type September 2013
[RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media
Types", RFC 3023, January 2001.
[RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type
Specifications and Registration Procedures", BCP 13,
RFC 6838, January 2013.
[SAML-2] Organization for the Advancement of Structured Information
Standards, "Security Assertion Markup Language (SAML)
Version 2.0. OASIS Standard", March 2005, <http://
docs.oasis-open.org/security/saml/v2.0/
saml-core-2.0-os.pdf>.
[XACML-1] Organization for the Advancement of Structured Information
Standards, "eXtensible Access Control Markup Language
(XACML) Version 1.0. OASIS Standard", February 2003, <http
://www.oasis-open.org/committees/download.php/2406/
oasis-xacml-1.0.pdf>.
[XACML-1.1]
Organization for the Advancement of Structured Information
Standards, "eXtensible Access Control Markup Language
(XACML) Version 1.1. OASIS Committee Specification",
August 2003, <http://www.oasis-open.org/committees/xacml/
repository/cs-xacml-specification-1.1.pdf>.
[XACML-2] Organization for the Advancement of Structured Information
Standards, "eXtensible Access Control Markup Language
(XACML) Version 2.0. OASIS Standard", February 2005, <http
://docs.oasis-open.org/xacml/2.0/
access_control-xacml-2.0-core-spec-os.pdf>.
[XACML-3] Organization for the Advancement of Structured Information
Standards, "eXtensible Access Control Markup Language
(XACML) Version 3.0. OASIS Standard", January 2013, <http:
//docs.oasis-open.org/xacml/3.0/
xacml-3.0-core-spec-os-en.pdf>.
[XACML-3-DSig]
Organization for the Advancement of Structured Information
Standards, "XACML v3.0 XML Digital Signature Profile
Version 1.0. OASIS Committee Specification 01",
August 2010, <http://docs.oasis-open.org/xacml/3.0/
xacml-3.0-dsig-v1-spec-cs-01-en.pdf>.
[XACML-3-SAML]
Organization for the Advancement of Structured Information
Standards, "SAML 2.0 Profile of XACML, Version 2.0. OASIS
Sinnema & Wilde Expires March 16, 2014 [Page 8]
�
Internet-Draft XACML XML Media Type September 2013
Committee Specification 01", August 2010, <http://
docs.oasis-open.org/xacml/3.0/
xacml-profile-saml2.0-v2-spec-cs-01-en.pdf>.
[XACML-REST]
Organization for the Advancement of Structured Information
Standards, "REST Profile of XACML v3.0 Version 1.0. OASIS
Committee Specification Draft 01", November 2012, <http://
docs.oasis-open.org/xacml/xacml-rest/v1.0/
xacml-rest-v1.0.pdf>.
[1] <https://www.ietf.org/mailman/listinfo/apps-discuss>
[2] <https://github.com/dret/I-D/tree/master/xacml-media-type>
Appendix A. Acknowledgements
The following individuals have participated in the creation of this
specification and are gratefully acknowledged: Oscar Koeroo (Nikhef),
Erik Rissanen (Axiomatics), and Jonathan Robie (EMC).
Authors' Addresses
Remon Sinnema
EMC Corporation
Email: remon.sinnema@emc.com
URI: http://securesoftwaredev.com/
Erik Wilde
EMC Corporation
6801 Koll Center Parkway
Pleasanton, CA 94566
U.S.A.
Phone: +1-925-6006244
Email: erik.wilde@emc.com
URI: http://dret.net/netdret/
Sinnema & Wilde Expires March 16, 2014 [Page 9]
�
