idnits 2.17.1 draft-sinnema-xacml-media-type-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([2], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 12, 2013) is 3851 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 3023 (Obsoleted by RFC 7303) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Sinnema 3 Internet-Draft E. Wilde 4 Intended status: Informational EMC Corporation 5 Expires: March 16, 2014 September 12, 2013 7 eXtensible Access Control Markup Language (XACML) XML Media Type 8 draft-sinnema-xacml-media-type-06 10 Abstract 12 This specification registers an XML-based media type for the 13 eXtensible Access Control Markup Language (XACML). 15 Note to Readers 17 This draft should be discussed on the apps-discuss mailing list [1]. 19 Online access to all versions and files is available on github [2]. 21 Status of this Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on March 16, 2014. 38 Copyright Notice 40 Copyright (c) 2013 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 3 57 2.1. XACML Media Type application/xacml+xml . . . . . . . . . . 3 58 3. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 59 4. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 6 60 4.1. From -05 to -06 . . . . . . . . . . . . . . . . . . . . . . 6 61 4.2. From -04 to -05 . . . . . . . . . . . . . . . . . . . . . . 7 62 4.3. From -03 to -04 . . . . . . . . . . . . . . . . . . . . . . 7 63 4.4. From -02 to -03 . . . . . . . . . . . . . . . . . . . . . . 7 64 4.5. From -01 to -02 . . . . . . . . . . . . . . . . . . . . . . 7 65 4.6. From -00 to -01 . . . . . . . . . . . . . . . . . . . . . . 7 66 4.7. Versions prior to I-D -00 . . . . . . . . . . . . . . . . . 7 67 5. Normative References . . . . . . . . . . . . . . . . . . . . . 7 68 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 9 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 71 1. Introduction 73 The eXtensible Access Control Markup Language (XACML) [XACML-3] 74 defines an architecture and a language for access control 75 (authorization). The language consists of requests, responses, and 76 policies. Clients sends a request to a server to query whether a 77 given action should be allowed. The server evaluates the request 78 against the available policies and returns a reponse. The policies 79 implement the organization's access control requirements. 81 2. IANA Considerations 83 This specification registers an XML-based media type for the 84 eXtensible Access Control Markup Language (XACML) that will be 85 registered with the Internet Assigned Numbers Authority (IANA) 86 following the "Media Type Specifications and Registration Procedures" 87 [RFC6838]. The XACML media type represents an XACML request, 88 response, or policy in the XML-based format defined by the core XACML 89 specification [XACML-3]. 91 2.1. XACML Media Type application/xacml+xml 93 This specification requests the registration of an XML-based media 94 type for the eXtensible Access Control Markup Language (XACML). 96 2.1.1. Media Type Name 98 application 100 2.1.2. Subtype Name 102 xacml+xml 104 2.1.3. Required Parameters 106 none 108 2.1.4. Optional Parameters 110 charset: The charset parameter is the same as the charset parameter 111 of application/xml [RFC3023], including the same default (see section 112 3.2). 114 version: The version parameter indicates the version of the XACML 115 specification. It can be used for content negotiation when dealing 116 with clients and servers that support multiple XACML versions. Its 117 range is the range of published XACML versions. As of this writing 118 that is: 1.0 [XACML-1], 1.1 [XACML-1.1], 2.0 [XACML-2], and 3.0 119 [XACML-3]. These and future version identifiers must follow the 120 OASIS patterns for versions [OASIS-Version]. If this parameter is 121 not specified by the client, the server is free to return any version 122 it deems fit. If a client cannot or does not want to deal with that, 123 it should explicitly specify a version. 125 2.1.5. Encoding Considerations 127 Same as for application/xml [RFC3023]. 129 2.1.6. Security Considerations 131 Per their specification, application/xacml+xml typed objects do not 132 contain executable content. However, these objects are XML-based, 133 and thus they have all of the general security considerations 134 presented in section 10 of RFC 3023 [RFC3023]. 136 XACML [XACML-3] contains information whose integrity and authenticity 137 is important - identity provider and service provider public keys and 138 endpoint addresses, for example. Sections "9.2.1 Authentication" and 139 "9.2.4 Policy Integrity" in XACML [XACML-3] describe requirements and 140 considerations for such authentication and integrity protection. 142 To counter potential issues, the publisher may sign application/ 143 xacml+xml typed objects. Any such signature should be verified by 144 the recipient of the data - both as a valid signature, and as being 145 the signature of the publisher. The XACML v3.0 XML Digital Signature 146 Profile [XACML-3-DSig] describes how to use XML-based digital 147 signatures with XACML. 149 Additionally, various of the possible publication protocols, for 150 example HTTPS, offer means for ensuring the authenticity of the 151 publishing party and for protecting the policy in transit. 153 2.1.7. Interoperability Considerations 155 Different versions of XACML use different XML namespace URIS: 157 o 1.0 & 1.1 use the urn:oasis:names:tc:xacml:1.0:policy XML 158 namespace URI for policies, and the 159 urn:oasis:names:tc:xacml:1.0:context XML namespace URI for 160 requests and responses 162 o 2.0 uses the urn:oasis:names:tc:xacml:2.0:policy XML namespace URI 163 for policies, and the urn:oasis:names:tc:xacml:2.0:context XML 164 namespace URI for requests and responses 166 o 3.0 uses the urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 XML 167 namespace URI for policies, requests, and responses 169 Signed XACML has a wrapping SAML 2.0 assertion [SAML-2], which uses 170 the urn:oasis:names:tc:SAML:2.0:assertion namespace URI. 171 Interoperability with SAML is defined by the SAML 2.0 Profile of 172 XACML [XACML-3-SAML] for all versions of XACML. 174 2.1.8. Applications which use this media type 176 Potentially any application implementing or using XACML, as well as 177 those applications implementing or using specifications based on 178 XACML. In particular, applications using the REST Profile 179 [XACML-REST] can benefit from this media type. 181 2.1.9. Magic number(s) 183 In general, the same as for application/xml [RFC3023]. In 184 particular, the XML document element of the returned object will be 185 one of xacml:Policy, xacml:PolicySet, context:Request, or context: 186 Response. The xacml and context namespace prefixes bind to the 187 respective namespaces URIs for the various versions of XACML as 188 follows: 190 o 1.0 & 1.1: The xacml prefix maps to 191 urn:oasis:names:tc:xacml:1.0:policy, the context prefix maps to 192 urn:oasis:names:tc:xacml:1.0:context 194 o 2.0: The xacml prefix maps to urn:oasis:names:tc:xacml:2.0:policy, 195 the context prefix maps to urn:oasis:names:tc:xacml:2.0:context 197 o 3.0: Both the xacml and context prefixes map to the namespace URI 198 urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 200 For signed XACML [XACML-3-DSig], the XML document element is saml: 201 Assertion, where the saml prefix maps to the SAML 2.0 namespace URI 202 urn:oasis:names:tc:SAML:2.0:assertion [SAML-2] 204 2.1.10. File extension(s) 206 none 208 2.1.11. Macintosh File Type Code(s) 210 none 212 2.1.12. Person & email address to contact for further information 214 This registration is made on behalf of the OASIS eXtensible Access 215 Control Markup Language Technical Committee (XACMLTC). Please refer 216 to the XACMLTC website for current information on committee 217 chairperson(s) and their contact addresses: 218 http://www.oasis-open.org/committees/xacml/. Committee members 219 should submit comments and potential errata to the 220 xacml@lists.oasis-open.org list. Others should submit them by 221 filling out the web form located at http://www.oasis-open.org/ 222 committees/comments/form.php?wg_abbrev=xacml. 224 Additionally, the XACML developer community email distribution list, 225 xacml-dev@lists.oasis-open.org, may be employed to discuss usage of 226 the application/xacml+xml MIME media type. The xacml-dev mailing 227 list is publicly archived here: 228 http://www.oasis-open.org/archives/xacml-dev/. To post to the xacml- 229 dev mailing list, one must subscribe to it. To subscribe, visit the 230 OASIS mailing list page at http://www.oasis-open.org/mlmanage/. 232 2.1.13. Intended Usage 234 Common 236 2.1.14. Author/Change Controller 238 The XACML specification sets are a work product of the OASIS 239 eXtensible Access Control Markup Language Technical Committee 240 (XACMLTC). OASIS and the XACMLTC have change control over the XACML 241 specification sets. 243 3. Security Considerations 245 The security considerations for this specifications are described in 246 Section 2.1.6 of the media type registration. 248 4. Change Log 250 Note to RFC Editor: Please remove this section before publication. 252 4.1. From -05 to -06 254 o Minor changes in wording. 256 4.2. From -04 to -05 258 o Incorporating feedback from Oscar Koeroo (ISE review report). 260 4.3. From -03 to -04 262 o Creating a proper "IANA Considerations" section. 264 o Creating a proper "Security Considerations" section. 266 4.4. From -02 to -03 268 o Switched category from "std" to "info". 270 4.5. From -01 to -02 272 o Added new introduction text. 274 o Improved definition of version numbers and their handling. 276 4.6. From -00 to -01 278 o Added new introduction text. 280 o Changed reference from RFC 4288 to RFC 6838 (updated RFC for media 281 type registrations). 283 4.7. Versions prior to I-D -00 285 Prior to being published as a I-D document, this document was 286 published and revised as an OASIS document with the following 287 versions: 289 o 2012-02-29 (WD01): Initial revision with one media type. 291 o 2012-04-23 (WD02): Added JSON media type. 293 o 2012-04-24 (WD03): Fixed layout, typos, and references. Better 294 defined the allowable range of values for the version parameter. 296 5. Normative References 298 [OASIS-Version] 299 Organization for the Advancement of Structured Information 300 Standards, "OASIS Naming Directives 1.3", December 2012, < 301 http://docs.oasis-open.org/specGuidelines/ndr/ 302 namingDirectives.html#Version>. 304 [RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media 305 Types", RFC 3023, January 2001. 307 [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type 308 Specifications and Registration Procedures", BCP 13, 309 RFC 6838, January 2013. 311 [SAML-2] Organization for the Advancement of Structured Information 312 Standards, "Security Assertion Markup Language (SAML) 313 Version 2.0. OASIS Standard", March 2005, . 317 [XACML-1] Organization for the Advancement of Structured Information 318 Standards, "eXtensible Access Control Markup Language 319 (XACML) Version 1.0. OASIS Standard", February 2003, . 323 [XACML-1.1] 324 Organization for the Advancement of Structured Information 325 Standards, "eXtensible Access Control Markup Language 326 (XACML) Version 1.1. OASIS Committee Specification", 327 August 2003, . 330 [XACML-2] Organization for the Advancement of Structured Information 331 Standards, "eXtensible Access Control Markup Language 332 (XACML) Version 2.0. OASIS Standard", February 2005, . 336 [XACML-3] Organization for the Advancement of Structured Information 337 Standards, "eXtensible Access Control Markup Language 338 (XACML) Version 3.0. OASIS Standard", January 2013, . 342 [XACML-3-DSig] 343 Organization for the Advancement of Structured Information 344 Standards, "XACML v3.0 XML Digital Signature Profile 345 Version 1.0. OASIS Committee Specification 01", 346 August 2010, . 349 [XACML-3-SAML] 350 Organization for the Advancement of Structured Information 351 Standards, "SAML 2.0 Profile of XACML, Version 2.0. OASIS 352 Committee Specification 01", August 2010, . 356 [XACML-REST] 357 Organization for the Advancement of Structured Information 358 Standards, "REST Profile of XACML v3.0 Version 1.0. OASIS 359 Committee Specification Draft 01", November 2012, . 363 [1] 365 [2] 367 Appendix A. Acknowledgements 369 The following individuals have participated in the creation of this 370 specification and are gratefully acknowledged: Oscar Koeroo (Nikhef), 371 Erik Rissanen (Axiomatics), and Jonathan Robie (EMC). 373 Authors' Addresses 375 Remon Sinnema 376 EMC Corporation 378 Email: remon.sinnema@emc.com 379 URI: http://securesoftwaredev.com/ 381 Erik Wilde 382 EMC Corporation 383 6801 Koll Center Parkway 384 Pleasanton, CA 94566 385 U.S.A. 387 Phone: +1-925-6006244 388 Email: erik.wilde@emc.com 389 URI: http://dret.net/netdret/