[xmlspif] A XML Based Access Control Concept

• From: "Alan Ross (SMHS)" <alan.ross@xxxxxxxxxx>
• To: xmlspif@xxxxxxxxxxxxx
• Date: Fri, 22 Oct 2010 12:58:17 +0100

Now that the XML SPIF has been published and it has had a fair purchase both
within the supporting members COTS products, and within a number of defence,
intelligence and exercise domains, i would like to gain the list's consensus
on the following.

With much the same philosophy of why move the SPIF to an Open XML Standard,
do we believe there is a requirement, an interest, to look at the XML SPIF
standardising, in XML, Access Control Information such as a Security Label
and Clearance.

Firstly, is this somewhere that the members of this list, supporters of XML
SPIF, believe it should go?

Secondly, if that answer is yes, should we consider standardising a XML
Security Label ourselves, look to adopt or something in between?

Should we consider on standardising on XML authorisation privileges?

Has anyone come across requirements that would benefit from having XML SPIF
take some responsibility in supporting this?

Over the last 24 months i have deployed the XML SPIF on a number of
programmes. In order to provide the Access Control Requirements with
Clearance and Security Labels as the Access Control Information, regardless
of the service i.e S/MIME Medium Grade Email, Web Services, Instant
Messaging and Group Chat, Document Sharing, the Security Label Format has
been compliant to RFC 2634 Enhanced Security Services for S/MIME Security
Label and the Clearance has been as defined in X.501 Clearance attribute.
Now to me this has been the right way to go, as currently they are Defined
Open Standards and have support defined within Access Control Standards.

However, a number of programmes have researched and developed XML Security
Labels each with their own merit and own specific purpose (not for immediate
discussion!). Such programmes, to name a few, being:

NATO Research Task Group on XML in Cross Domain Security Solutions where
they  have proposed an XML Confidentiality Label and Related Binding of
Metadata to Data Objects

Intelligence Community (IC) Metadata Standards for Information Assurance has
a defined schema for Information Security Marking (IC-ISM). This has been
adopted within the Cross Domain Collaborative Information Environment
(CDCIE).

Joint C3 Information Exchange Data Model

...... also, vendors, including those on the supporters of XML SPIF, have
their own XML Security Label and XML Clearance.

My personal preference is that i see benefit in XML SPIF providing an XML
based Approach for Access Control Information moving towards a fully XML
based Access Control Concept. To me this appears to be a logical move and
could potentially drive the focus of XML SPIF more to mainstream.

Logical sense may dictate that we support/adopt specifications for Security
Labels i.e NATO, however, we still await the released publications (soon we
believe!). Research Papers show that they have defined / are defining:

   - XML Confidentiality Label
      - Confidentiality Data - Classification, category, policy information
      - Label Lifecycle Information - Audit trail, label ownership,
      timestamp
   - XML Binding Data
      - Identification
      - Data Container / Reference
   - Security Assertion
   - Processing Rules

Much the same as XEP-0258 accomplishes with XMPP, i like the idea of
standardising on a mechanism for carrying security labels. This allows for
more flexibility with formats already being used, such as RFC 2634 ESS
Security Labels and IC-ISM.

I also think, over and above a specification for binding a Security Label to
the data, there is benefit in dynamically schema determining where a
Security Label may be located within data. A standardised approach to this
makes sense to me and we could look into defining standard XSD Annotations
appInfo to identify where to expect the security label in the data, for
example. This would be a very beneficial feature for services, i.e guarding
functions that need to act on all security labels within a payload to
determine releasability. This would also avoid the need for supporting yet
another format such as schematron or some other form of proprietary XSD
compilation in order to meet this requirement.

There does appear to be a gap in the definition of an XML Security
Clearance. This is something we should look at providing a standardisation
proposal for.

Having defined the Security Policy, Security Label and Clearance in a XML
Format, then we have a potential to exploit XML to better gain adoption of
the Access Control Concept and Label Translation. We could exploit general
purpose access control policy, for example XACML, to represent our Access
Control Concept. This has potential and is very interesting to me. With
XSLT/XPath we can use templating to support Equivalency Mapping and Label
Translation.

With whatever approach is deemed viable, if indeed there is a deemed viable
approach, it goes without saying ...... interoperability with XML SPIF would
have to be assured.

Finally, and not before time, this would "drive" us into having to finally
fully document the XML SPIF and application of AC with supporting ACI :-)

I am very interested in all your comments.

Alan

• Follow-Ups:
  • [xmlspif] Re: A XML Based Access Control Concept
    • From: Piers Chivers

Other related posts:

• » [xmlspif] A XML Based Access Control Concept - Alan Ross (SMHS)
• » [xmlspif] Re: A XML Based Access Control Concept- Piers Chivers
• » [xmlspif] Re: A XML Based Access Control Concept- Steve Kille

1. Home
2. xmlspif
3. Archive
4. 10-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---