idnits 2.17.1 draft-sinnema-xacml-media-type-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([2], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 26, 2013) is 4021 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3023 (Obsoleted by RFC 7303) -- Possible downref: Non-RFC (?) normative reference: ref. 'SAML-2' -- Possible downref: Non-RFC (?) normative reference: ref. 'XACML-1' -- Possible downref: Non-RFC (?) normative reference: ref. 'XACML-2' -- Possible downref: Non-RFC (?) normative reference: ref. 'XACML-3' -- Possible downref: Non-RFC (?) normative reference: ref. 'XACML-3-DSig' -- Possible downref: Non-RFC (?) normative reference: ref. 'XACML-3-SAML' -- Possible downref: Non-RFC (?) normative reference: ref. '1' -- Possible downref: Non-RFC (?) normative reference: ref. '2' Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Sinnema 3 Internet-Draft E. Wilde 4 Intended status: Standards Track EMC Corporation 5 Expires: September 27, 2013 March 26, 2013 7 eXtensible Access Control Markup Language (XACML) Media Type 8 draft-sinnema-xacml-media-type-02 10 Abstract 12 This specification registers an XML-based media type for the 13 eXtensible Access Control Markup Language (XACML). 15 Note to Readers 17 This draft should be discussed on the apps-discuss mailing list [1]. 19 Online access to all versions and files is available on github [2]. 21 Status of this Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on September 27, 2013. 38 Copyright Notice 40 Copyright (c) 2013 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. XACML Media Type . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. XACML Media Type application/xacml+xml . . . . . . . . . . . . 3 58 3.1. Media Type Name . . . . . . . . . . . . . . . . . . . . . . 3 59 3.2. Subtype Name . . . . . . . . . . . . . . . . . . . . . . . 3 60 3.3. Required Parameters . . . . . . . . . . . . . . . . . . . . 3 61 3.4. Optional Parameters . . . . . . . . . . . . . . . . . . . . 3 62 3.5. Encoding Considerations . . . . . . . . . . . . . . . . . . 4 63 3.6. Security Considerations . . . . . . . . . . . . . . . . . . 4 64 3.7. Interoperability Considerations . . . . . . . . . . . . . . 4 65 3.8. Applications which use this media type . . . . . . . . . . 5 66 3.9. Magic number(s) . . . . . . . . . . . . . . . . . . . . . . 5 67 3.10. File extension(s) . . . . . . . . . . . . . . . . . . . . . 5 68 3.11. Macintosh File Type Code(s) . . . . . . . . . . . . . . . . 5 69 3.12. Person & email address to contact for further 70 information . . . . . . . . . . . . . . . . . . . . . . . . 6 71 3.13. Intended Usage . . . . . . . . . . . . . . . . . . . . . . 6 72 3.14. Author/Change Controller . . . . . . . . . . . . . . . . . 6 73 4. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 6 74 4.1. From -01 to -02 . . . . . . . . . . . . . . . . . . . . . . 6 75 4.2. From -00 to -01 . . . . . . . . . . . . . . . . . . . . . . 6 76 4.3. Versions prior to I-D -00 . . . . . . . . . . . . . . . . . 7 77 5. Normative References . . . . . . . . . . . . . . . . . . . . . 7 78 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 8 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 81 1. Introduction 83 The eXtensible Access Control Markup Language (XACML) [XACML-3] 84 defines an architecture and a language for access control 85 (authorization). The language consists of requests, responses, and 86 policies. Clients sends a request to a server to query whether a 87 given action should be allowed. The server evaluates the request 88 against the available policies and returns a reponse. The policies 89 implement the organization's access control requirements. 91 2. XACML Media Type 93 This specification registers an XML-based media type for the 94 eXtensible Access Control Markup Language (XACML) that will be 95 registered with the Internet Assigned Numbers Authority (IANA) 96 following the "Media Type Specifications and Registration Procedures" 97 [RFC6838]. The XACML media type represents an XACML request, 98 response, or policy in the XML-based format defined by the core XACML 99 specification [XACML-3]. 101 3. XACML Media Type application/xacml+xml 103 This specification requests the registration of an XML-based media 104 type for the eXtensible Access Control Markup Language (XACML). 106 3.1. Media Type Name 108 application 110 3.2. Subtype Name 112 xacml+xml 114 3.3. Required Parameters 116 none 118 3.4. Optional Parameters 120 charset: The charset parameter is the same as the charset parameter 121 of application/xml [RFC3023]. 123 version: The version parameter indicates the version of the XACML 124 specification. It can be used for content negotiation when dealing 125 with clients and servers that support multiple XACML versions. Its 126 range is the range of published XACML versions. As of this writing 127 that is: 1.0 [XACML-1], 1.1 [XACML-1.1], 2.0 [XACML-2], and 3.0 128 [XACML-3]. These and future version identifiers consist of a series 129 of non-negative decimal numbers with no leading zeros separated by 130 dots, where the first decimal must be positive. If this parameter is 131 not specified by the client, the server is free to return any version 132 it deems fit. If a client cannot or does not want to deal with that, 133 it should explicitly specify a version. 135 3.5. Encoding Considerations 137 Same as for application/xml [RFC3023]. 139 3.6. Security Considerations 141 Per their specification, application/xacml+xml typed objects do not 142 contain executable content. However, these objects are XML-based, 143 and thus they have all of the general security considerations 144 presented in section 10 of RFC 3023 [RFC3023]. 146 XACML [XACML-3] contains information whose integrity and authenticity 147 is important - identity provider and service provider public keys and 148 endpoint addresses, for example. Sections 9.2.1 Authentication and 149 9.2.4 Policy integrity in XACML [XACML-3] describe requirements and 150 considerations for such authentication and integrity protection. 152 To counter potential issues, the publisher may sign application/ 153 xacml+xml typed objects. Any such signature should be verified by 154 the recipient of the data - both as a valid signature, and as being 155 the signature of the publisher. The XACML v3.0 XML Digital Signature 156 Profile [XACML-3-DSig] describes how to use XML-based digital 157 signatures with XACML. 159 Additionally, various of the possible publication protocols, for 160 example HTTPS, offer means for ensuring the authenticity of the 161 publishing party and for protecting the policy in transit. 163 For a more detailed discussion of XACML policy and its security 164 considerations, please see XACML 3.0 [XACML-3] and the associated XML 165 Digital Signature Profile [XACML-3-DSig]. 167 3.7. Interoperability Considerations 169 Different versions of XACML use different XML namespace URIS: 171 o 1.0 & 1.1 use the urn:oasis:names:tc:xacml:1.0:policy XML 172 namespace URI for policies, and the 173 urn:oasis:names:tc:xacml:1.0:context XML namespace URI for 174 requests and responses 176 o 2.0 uses the urn:oasis:names:tc:xacml:2.0:policy XML namespace URI 177 for policies, and the urn:oasis:names:tc:xacml:2.0:context XML 178 namespace URI for requests and responses 180 o 3.0 uses the urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 XML 181 namespace URI for policies, requests, and responses 183 Signed XACML has a wrapping SAML 2.0 assertion [SAML-2], which uses 184 the urn:oasis:names:tc:SAML:2.0:assertion namespace URI. 185 Interoperability with SAML is defined by the SAML 2.0 Profile of 186 XACML [XACML-3-SAML] for all versions of XACML. 188 3.8. Applications which use this media type 190 Potentially any application implementing or using XACML, as well as 191 those applications implementing or using specifications based on 192 XACML. 194 3.9. Magic number(s) 196 In general, the same as for application/xml [RFC3023]. In 197 particular, the XML document element of the returned object will be 198 one of xacml:Policy, xacml:PolicySet, context:Request, or context: 199 Response. The xacml and context prefixes differ for the various 200 versions of XACML as follows: 202 o 1.0 & 1.1: The xacml prefix maps to 203 urn:oasis:names:tc:xacml:1.0:policy, the context prefix maps to 204 urn:oasis:names:tc:xacml:1.0:context 206 o 2.0: The xacml prefix maps to urn:oasis:names:tc:xacml:2.0:policy, 207 the context prefix maps to urn:oasis:names:tc:xacml:2.0:context 209 o 3.0: Both the xacml and context prefixes map to the namespace URI 210 urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 212 For signed XACML [XACML-3-DSig], the XML document element is saml: 213 Assertion, where the saml prefix maps to the SAML 2.0 namespace URI 214 urn:oasis:names:tc:SAML:2.0:assertion [SAML-2] 216 3.10. File extension(s) 218 none 220 3.11. Macintosh File Type Code(s) 222 none 224 3.12. Person & email address to contact for further information 226 This registration is made on behalf of the OASIS eXtensible Access 227 Control Markup Language Technical Committee (XACMLTC). Please refer 228 to the XACMLTC website for current information on committee 229 chairperson(s) and their contact addresses: 230 http://www.oasis-open.org/committees/xacml/. Committee members 231 should submit comments and potential errata to the 232 xacml@lists.oasis-open.org list. Others should submit them by 233 filling out the web form located at http://www.oasis-open.org/ 234 committees/comments/form.php?wg_abbrev=xacml. 236 Additionally, the XACML developer community email distribution list, 237 xacml-dev@lists.oasis-open.org, may be employed to discuss usage of 238 the application/xacml+xml MIME media type. The xacml-dev mailing 239 list is publicly archived here: 240 http://www.oasis-open.org/archives/xacml-dev/. To post to the xacml- 241 dev mailing list, one must subscribe to it. To subscribe, visit the 242 OASIS mailing list page at http://www.oasis-open.org/mlmanage/. 244 3.13. Intended Usage 246 Common 248 3.14. Author/Change Controller 250 The XACML specification sets are a work product of the OASIS 251 eXtensible Access Control Markup Language Technical Committee 252 (XACMLTC). OASIS and the XACMLTC have change control over the XACML 253 specification sets. 255 4. Change Log 257 Note to RFC Editor: Please remove this section before publication. 259 4.1. From -01 to -02 261 o Added new introduction text. 263 o Improved definition of version numbers and their handling. 265 4.2. From -00 to -01 267 o Added new introduction text. 269 o Changed reference from RFC 4288 to RFC 6838 (updated RFC for media 270 type registrations). 272 4.3. Versions prior to I-D -00 274 Prior to being published as a I-D document, this document was 275 published and revised as an OASIS document with the following 276 versions: 278 o 2012-02-29 (WD01): Initial revision with one media type. 280 o 2012-04-23 (WD02): Added JSON media type. 282 o 2012-04-24 (WD03): Fixed layout, typos, and references. Better 283 defined the allowable range of values for the version parameter. 285 5. Normative References 287 [RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media 288 Types", RFC 3023, January 2001. 290 [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type 291 Specifications and Registration Procedures", BCP 13, 292 RFC 6838, January 2013. 294 [SAML-2] Organization for the Advancement of Structured Information 295 Standards, "Security Assertion Markup Language (SAML) 296 Version 2.0. OASIS Standard", March 2005, . 300 [XACML-1] Organization for the Advancement of Structured Information 301 Standards, "eXtensible Access Control Markup Language 302 (XACML) Version 1.0. OASIS Standard", February 2003, . 306 [XACML-1.1] 307 Organization for the Advancement of Structured Information 308 Standards, "eXtensible Access Control Markup Language 309 (XACML) Version 1.1. OASIS Committee Specification", 310 August 2003, . 313 [XACML-2] Organization for the Advancement of Structured Information 314 Standards, "eXtensible Access Control Markup Language 315 (XACML) Version 2.0. OASIS Standard", February 2005, . 319 [XACML-3] Organization for the Advancement of Structured Information 320 Standards, "eXtensible Access Control Markup Language 321 (XACML) Version 3.0. OASIS Committee Specification 01", 322 August 2010, . 325 [XACML-3-DSig] 326 Organization for the Advancement of Structured Information 327 Standards, "XACML v3.0 XML Digital Signature Profile 328 Version 1.0. OASIS Committee Specification 01", 329 August 2010, . 332 [XACML-3-SAML] 333 Organization for the Advancement of Structured Information 334 Standards, "SAML 2.0 Profile of XACML, Version 2.0. OASIS 335 Committee Specification 01", August 2010, . 339 [1] 341 [2] 343 Appendix A. Acknowledgements 345 The following individuals have participated in the creation of this 346 specification and are gratefully acknowledged: Erik Rissanen 347 (Axiomatics) and Jonathan Robie (EMC). 349 Authors' Addresses 351 Remon Sinnema 352 EMC Corporation 354 Email: remon.sinnema@emc.com 355 URI: http://securesoftwaredev.com/ 356 Erik Wilde 357 EMC Corporation 358 6801 Koll Center Parkway 359 Pleasanton, CA 94566 360 U.S.A. 362 Phone: +1-925-6006244 363 Email: erik.wilde@emc.com 364 URI: http://dret.net/netdret/