eXtensible Access Control Markup Language (XACML) XML Media Type
EMC Corporation
remon.sinnema@emc.com
http://securesoftwaredev.com/
EMC Corporation
6801 Koll Center Parkway
Pleasanton, CA 94566
U.S.A.
+1-925-6006244
erik.wilde@emc.com
http://dret.net/netdret/
This specification registers an XML-based media type for the eXtensible Access Control Markup Language (XACML).
This draft should be discussed on the apps-discuss mailing list.
Online access to all versions and files is available on github.
The eXtensible Access Control Markup Language (XACML) defines an architecture and a language for access control (authorization). The language consists of requests, responses, and policies. Clients sends a request to a server to query whether a given action should be allowed. The server evaluates the request against the available policies and returns a reponse. The policies implement the organization's access control requirements.
This specification registers an XML-based media type for the eXtensible Access Control Markup Language (XACML) that will be registered with the Internet Assigned Numbers Authority (IANA) following the "Media Type Specifications and Registration Procedures" . The XACML media type represents an XACML request, response, or policy in the XML-based format defined by the core XACML specification .
This specification requests the registration of an XML-based media type for the eXtensible Access Control Markup Language (XACML).
charset: The charset parameter is the same as the charset parameter of application/xml , including the same default (see section 3.2).
version: The version parameter indicates the version of the XACML specification. It can be used for content negotiation when dealing with clients and servers that support multiple XACML versions. Its range is the range of published XACML versions. As of this writing that is: 1.0 , 1.1 , 2.0 , and 3.0 . These and future version identifiers must follow the OASIS patterns for versions . If this parameter is not specified by the client, the server is free to return any version it deems fit. If a client cannot or does not want to deal with that, it should explicitly specify a version.
Same as for application/xml .
Per their specification, application/xacml+xml typed objects do not contain executable content. However, these objects are XML-based, and thus they have all of the general security considerations presented in section 10 of RFC 3023 .
XACML contains information whose integrity and authenticity is important - identity provider and service provider public keys and endpoint addresses, for example. Sections "9.2.1 Authentication" and "9.2.4 Policy Integrity" in XACML describe requirements and considerations for such authentication and integrity protection.
To counter potential issues, the publisher may sign application/xacml+xml typed objects. Any such signature should be verified by the recipient of the data - both as a valid signature, and as being the signature of the publisher. The XACML v3.0 XML Digital Signature Profile describes how to use XML-based digital signatures with XACML.
Additionally, various of the possible publication protocols, for example HTTPS, offer means for ensuring the authenticity of the publishing party and for protecting the policy in transit.
Different versions of XACML use different XML namespace URIS:
1.0 & 1.1 use the urn:oasis:names:tc:xacml:1.0:policy XML namespace URI for policies, and the urn:oasis:names:tc:xacml:1.0:context XML namespace URI for requests and responses
2.0 uses the urn:oasis:names:tc:xacml:2.0:policy XML namespace URI for policies, and the urn:oasis:names:tc:xacml:2.0:context XML namespace URI for requests and responses
3.0 uses the urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 XML namespace URI for policies, requests, and responses
Signed XACML has a wrapping SAML 2.0 assertion , which uses the urn:oasis:names:tc:SAML:2.0:assertion namespace URI. Interoperability with SAML is defined by the SAML 2.0 Profile of XACML for all versions of XACML.
Potentially any application implementing or using XACML, as well as those applications implementing or using specifications based on XACML. In particular, applications using the REST Profile can benefit from this media type.
In general, the same as for application/xml . In particular, the XML document element of the returned object will be one of xacml:Policy, xacml:PolicySet, context:Request, or context:Response. The xacml and context namespace prefixes bind to the respective namespaces URIs for the various versions of XACML as follows:
1.0 & 1.1: The xacml prefix maps to urn:oasis:names:tc:xacml:1.0:policy, the context prefix maps to urn:oasis:names:tc:xacml:1.0:context
2.0: The xacml prefix maps to urn:oasis:names:tc:xacml:2.0:policy, the context prefix maps to urn:oasis:names:tc:xacml:2.0:context
3.0: Both the xacml and context prefixes map to the namespace URI urn:oasis:names:tc:xacml:3.0:core:schema:wd-17
For signed XACML , the XML document element is saml:Assertion, where the saml prefix maps to the SAML 2.0 namespace URI urn:oasis:names:tc:SAML:2.0:assertion
This registration is made on behalf of the OASIS eXtensible Access Control Markup Language Technical Committee (XACMLTC). Please refer to the XACMLTC website for current information on committee chairperson(s) and their contact addresses: http://www.oasis-open.org/committees/xacml/. Committee members should submit comments and potential errata to the xacml@lists.oasis-open.org list. Others should submit them by filling out the web form located at http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=xacml.
Additionally, the XACML developer community email distribution list, xacml-dev@lists.oasis-open.org, may be employed to discuss usage of the application/xacml+xml MIME media type. The xacml-dev mailing list is publicly archived here: http://www.oasis-open.org/archives/xacml-dev/. To post to the xacml-dev mailing list, one must subscribe to it. To subscribe, visit the OASIS mailing list page at http://www.oasis-open.org/mlmanage/.
The XACML specification sets are a work product of the OASIS eXtensible Access Control Markup Language Technical Committee (XACMLTC). OASIS and the XACMLTC have change control over the XACML specification sets.
The security considerations for this specifications are described in of the media type registration.
Note to RFC Editor: Please remove this section before publication.
Minor changes in wording.
Incorporating feedback from Oscar Koeroo (ISE review report).
Creating a proper "IANA Considerations" section.
Creating a proper "Security Considerations" section.
Switched category from "std" to "info".
Added new introduction text.
Improved definition of version numbers and their handling.
Added new introduction text.
Changed reference from RFC 4288 to RFC 6838 (updated RFC for media type registrations).
Prior to being published as a I-D document, this document was published and revised as an OASIS document with the following versions:
2012-02-29 (WD01): Initial revision with one media type.
2012-04-23 (WD02): Added JSON media type.
2012-04-24 (WD03): Fixed layout, typos, and references. Better defined the allowable range of values for the version parameter.
Security Assertion Markup Language (SAML) Version 2.0. OASIS Standard
Organization for the Advancement of Structured Information Standards
XML Media Types
This document standardizes five new media types - text/xml, application/xml, text/xml-external-parsed-entity, application/xml- external-parsed-entity, and application/xml-dtd - for use in exchanging network entities that are related to the Extensible Markup Language (XML). This document also standardizes a convention (using the suffix '+xml') for naming media types outside of these five types when those media types represent XML MIME (Multipurpose Internet Mail Extensions) entities. [STANDARDS-TRACK]
Media Type Specifications and Registration Procedures
This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice.
eXtensible Access Control Markup Language (XACML) Version 1.0. OASIS Standard
Organization for the Advancement of Structured Information Standards
eXtensible Access Control Markup Language (XACML) Version 1.1. OASIS Committee Specification
Organization for the Advancement of Structured Information Standards
eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard
Organization for the Advancement of Structured Information Standards
eXtensible Access Control Markup Language (XACML) Version 3.0. OASIS Standard
Organization for the Advancement of Structured Information Standards
SAML 2.0 Profile of XACML, Version 2.0. OASIS Committee Specification 01
Organization for the Advancement of Structured Information Standards
XACML v3.0 XML Digital Signature Profile Version 1.0. OASIS Committee Specification 01
Organization for the Advancement of Structured Information Standards
REST Profile of XACML v3.0 Version 1.0. OASIS Committee Specification Draft 01
Organization for the Advancement of Structured Information Standards
OASIS Naming Directives 1.3
Organization for the Advancement of Structured Information Standards
The following individuals have participated in the creation of this specification and are gratefully acknowledged: Oscar Koeroo (Nikhef), Erik Rissanen (Axiomatics), and Jonathan Robie (EMC).