1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
|
Independent Submission R. Sinnema
Request for Comments: 7061 E. Wilde
Category: Informational EMC Corporation
ISSN: 2070-1721 November 2013
eXtensible Access Control Markup Language (XACML) XML Media Type
Abstract
This specification registers an XML-based media type for the
eXtensible Access Control Markup Language (XACML).
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7061.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Sinnema & Wilde Informational [Page 1]
^L
RFC 7061 XACML XML Media Type November 2013
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 2
2.1. XACML Media Type application/xacml+xml . . . . . . . . . . 2
3. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
4. Normative References . . . . . . . . . . . . . . . . . . . . . 5
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 6
1. Introduction
The eXtensible Access Control Markup Language (XACML) [XACML-3]
defines an architecture and a language for access control
(authorization). The language consists of requests, responses, and
policies. Clients send a request to a server to query whether a
given action should be allowed. The server evaluates the request
against the available policies and returns a response. The policies
implement the organization's access control requirements.
2. IANA Considerations
This specification details the registry of an XML-based media type
for the eXtensible Access Control Markup Language (XACML) that has
been registered with the Internet Assigned Numbers Authority (IANA)
following the "Media Type Specifications and Registration Procedures"
[RFC6838]. The XACML media type represents an XACML request,
response, or policy in the XML-based format defined by the core XACML
specification [XACML-3].
2.1. XACML Media Type application/xacml+xml
This specification details the registration of an XML-based media
type for the eXtensible Access Control Markup Language (XACML).
Media Type Name: application
Subtype Name: xacml+xml
Required Parameters: none
Optional Parameters:
charset: The charset parameter is the same as the charset
parameter of application/xml [RFC3023], including the same default
(see Section 3.2 of RFC 3023).
Sinnema & Wilde Informational [Page 2]
^L
RFC 7061 XACML XML Media Type November 2013
version: The version parameter indicates the version of the XACML
specification. It can be used for content negotiation when
dealing with clients and servers that support multiple XACML
versions. Its range is the range of published XACML versions. As
of this writing, that is 1.0 [XACML-1], 1.1 [XACML-1.1], 2.0
[XACML-2], and 3.0 [XACML-3]. These and future version
identifiers must follow the Organization for the Advancement of
Structured Information Standards (OASIS) patterns for versions
[OASIS-Version]. If this parameter is not specified by the
client, the server is free to return any version it deems fit. If
a client cannot or does not want to deal with that, it should
explicitly specify a version.
Encoding Considerations: Same as for application/xml [RFC3023].
Security Considerations:
Per their specification, objects of type application/xacml+xml do
not contain executable content. However, these objects are XML-
based, and thus they have all of the general security
considerations presented in Section 10 of RFC 3023 [RFC3023].
XACML [XACML-3] contains information about whose integrity and
authenticity is important -- identity provider and service
provider public keys and endpoint addresses, for example.
Sections 9.2.1 "Authentication" and 9.2.4 "Policy Integrity" in
XACML [XACML-3] describe requirements and considerations for such
authentication and integrity protection.
To counter potential issues, the publisher may sign objects of
type application/xacml+xml. Any such signature should be verified
-- both as a valid signature and as being the signature of the
publisher -- by the recipient of the data. The XACML v3.0 XML
Digital Signature Profile [XACML-3-DSig] describes how to use XML-
based digital signatures with XACML.
Additionally, various possible publication protocols, for example,
HTTPS, offer means for ensuring the authenticity of the publishing
party and for protecting the policy in transit.
Interoperability Considerations: Different versions of XACML use
different XML namespace URIs:
* 1.0 and 1.1 use the urn:oasis:names:tc:xacml:1.0:policy XML
namespace URI for policies and the
urn:oasis:names:tc:xacml:1.0:context XML namespace URI for
requests and responses
Sinnema & Wilde Informational [Page 3]
^L
RFC 7061 XACML XML Media Type November 2013
* 2.0 uses the urn:oasis:names:tc:xacml:2.0:policy XML namespace
URI for policies and the urn:oasis:names:tc:xacml:2.0:context
XML namespace URI for requests and responses
* 3.0 uses the urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 XML
namespace URI for policies, requests, and responses
Signed XACML has a wrapping Security Assertion Markup Language
(SAML) 2.0 assertion [SAML-2], which uses the
urn:oasis:names:tc:SAML:2.0:assertion namespace URI.
Interoperability with SAML is defined by the SAML 2.0 Profile of
XACML [XACML-3-SAML] for all versions of XACML.
Applications That Use This Media Type:
Potentially, any application implementing or using XACML, as well
as those applications implementing or using specifications based
on XACML. In particular, applications using the Representational
State Transfer (REST) Profile [XACML-REST] can benefit from this
media type.
Magic Number(s):
In general, this is the same as for application/xml [RFC3023]. In
particular, the XML document element of the returned object will
be one of xacml:Policy, xacml:PolicySet, context:Request, or
context:Response. The xacml and context namespace prefixes bind
to the respective namespace URIs for the various versions of XACML
as follows:
* 1.0 and 1.1: The xacml prefix maps to
urn:oasis:names:tc:xacml:1.0:policy; the context prefix maps to
urn:oasis:names:tc:xacml:1.0:context
* 2.0: The xacml prefix maps to
urn:oasis:names:tc:xacml:2.0:policy; the context prefix maps to
urn:oasis:names:tc:xacml:2.0:context
* 3.0: Both the xacml and context prefixes map to the namespace
URI urn:oasis:names:tc:xacml:3.0:core:schema:wd-17
For signed XACML [XACML-3-DSig], the XML document element is saml:
Assertion, where the saml prefix maps to the SAML 2.0 namespace
URI urn:oasis:names:tc:SAML:2.0:assertion [SAML-2].
File Extension(s): none
Macintosh File Type Code(s): none
Sinnema & Wilde Informational [Page 4]
^L
RFC 7061 XACML XML Media Type November 2013
Person & Email Address to Contact for Further Information:
This registration is made on behalf of the OASIS eXtensible Access
Control Markup Language Technical Committee (XACMLTC). Please
refer to the XACMLTC website for current information on committee
chairperson(s) and their contact addresses:
http://www.oasis-open.org/committees/xacml/. Committee members
should submit comments and potential errors to the
xacml@lists.oasis-open.org list. Others should submit them by
filling out the web form located at http://www.oasis-open.org/
committees/comments/form.php?wg_abbrev=xacml.
Additionally, the XACML developer community email distribution
list, xacml-dev@lists.oasis-open.org, may be employed to discuss
usage of the application/xacml+xml MIME media type. The xacml-dev
mailing list is publicly archived here:
http://www.oasis-open.org/archives/xacml-dev/. To post to the
xacml-dev mailing list, one must subscribe to it. To subscribe,
visit the OASIS mailing list page at
http://www.oasis-open.org/mlmanage/.
Intended Usage: common
Author/Change Controller:
The XACML specification sets are a work product of the OASIS
eXtensible Access Control Markup Language Technical Committee
(XACMLTC). OASIS and the XACMLTC have change control over the
XACML specification sets.
3. Security Considerations
The security considerations for this specification are described in
Section 2.1 of the media type registration.
4. Normative References
[OASIS-Version]
Organization for the Advancement of Structured Information
Standards, "OASIS Naming Directives Version 1.3",
December 2012, <http://docs.oasis-open.org/specGuidelines/
ndr/namingDirectives.html#Version>.
[RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media
Types", RFC 3023, January 2001.
Sinnema & Wilde Informational [Page 5]
^L
RFC 7061 XACML XML Media Type November 2013
[RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type
Specifications and Registration Procedures", BCP 13,
RFC 6838, January 2013.
[SAML-2] Organization for the Advancement of Structured Information
Standards, "Assertions and Protocols for the OASIS
Security Assertion Markup Language (SAML) V2.0",
OASIS Standard, March 2005, <http://docs.oasis-open.org/
security/saml/v2.0/saml-core-2.0-os.pdf>.
[XACML-1] Organization for the Advancement of Structured Information
Standards, "eXtensible Access Control Markup Language
(XACML) Version 1.0", OASIS Standard, February 2003,
<http://www.oasis-open.org/committees/download.php/2406/
oasis-xacml-1.0.pdf>.
[XACML-1.1]
Organization for the Advancement of Structured Information
Standards, "eXtensible Access Control Markup Language
(XACML) Version 1.1", OASIS Committee Specification,
August 2003, <http://www.oasis-open.org/committees/xacml/
repository/cs-xacml-specification-1.1.pdf>.
[XACML-2] Organization for the Advancement of Structured Information
Standards, "eXtensible Access Control Markup Language
(XACML) Version 2.0", OASIS Standard, February 2005,
<http://docs.oasis-open.org/xacml/2.0/
access_control-xacml-2.0-core-spec-os.pdf>.
[XACML-3] Organization for the Advancement of Structured Information
Standards, "eXtensible Access Control Markup Language
(XACML) Version 3.0", OASIS Standard, January 2013,
<http://docs.oasis-open.org/xacml/3.0/
xacml-3.0-core-spec-os-en.pdf>.
[XACML-3-DSig]
Organization for the Advancement of Structured Information
Standards, "XACML v3.0 XML Digital Signature Profile
Version 1.0", OASIS Committee Specification 01,
August 2010, <http://docs.oasis-open.org/xacml/3.0/
xacml-3.0-dsig-v1-spec-cs-01-en.pdf>.
[XACML-3-SAML]
Organization for the Advancement of Structured Information
Standards, "SAML 2.0 Profile of XACML, Version 2.0", OASIS
Committee Specification 01, August 2010,
<http://docs.oasis-open.org/xacml/3.0/
xacml-profile-saml2.0-v2-spec-cs-01-en.pdf>.
Sinnema & Wilde Informational [Page 6]
^L
RFC 7061 XACML XML Media Type November 2013
[XACML-REST]
Organization for the Advancement of Structured Information
Standards, "REST Profile of XACML v3.0 Version 1.0", OASIS
Committee Specification 01, April 2013,
<http://docs.oasis-open.org/xacml/xacml-rest/v1.0/
xacml-rest-v1.0.pdf>.
Sinnema & Wilde Informational [Page 7]
^L
RFC 7061 XACML XML Media Type November 2013
Appendix A. Acknowledgements
The following individuals have participated in the creation of this
specification and are gratefully acknowledged: Oscar Koeroo (Nikhef),
Erik Rissanen (Axiomatics), and Jonathan Robie (EMC).
Authors' Addresses
Remon Sinnema
EMC Corporation
EMail: remon.sinnema@emc.com
URI: http://securesoftwaredev.com/
Erik Wilde
EMC Corporation
6801 Koll Center Parkway
Pleasanton, CA 94566
USA
Phone: +1-925-600-6244
EMail: erik.wilde@emc.com
URI: http://dret.net/netdret/
Sinnema & Wilde Informational [Page 8]
^L
|
