Now that the XML SPIF has been published and it has had a fair purchase both within the supporting members COTS products, and within a number of defence, intelligence and exercise domains, i would like to gain the list's consensus on the following. With much the same philosophy of why move the SPIF to an Open XML Standard, do we believe there is a requirement, an interest, to look at the XML SPIF standardising, in XML, Access Control Information such as a Security Label and Clearance. Firstly, is this somewhere that the members of this list, supporters of XML SPIF, believe it should go? Secondly, if that answer is yes, should we consider standardising a XML Security Label ourselves, look to adopt or something in between? Should we consider on standardising on XML authorisation privileges? Has anyone come across requirements that would benefit from having XML SPIF take some responsibility in supporting this? Over the last 24 months i have deployed the XML SPIF on a number of programmes. In order to provide the Access Control Requirements with Clearance and Security Labels as the Access Control Information, regardless of the service i.e S/MIME Medium Grade Email, Web Services, Instant Messaging and Group Chat, Document Sharing, the Security Label Format has been compliant to RFC 2634 Enhanced Security Services for S/MIME Security Label and the Clearance has been as defined in X.501 Clearance attribute. Now to me this has been the right way to go, as currently they are Defined Open Standards and have support defined within Access Control Standards. However, a number of programmes have researched and developed XML Security Labels each with their own merit and own specific purpose (not for immediate discussion!). Such programmes, to name a few, being: NATO Research Task Group on XML in Cross Domain Security Solutions where they have proposed an XML Confidentiality Label and Related Binding of Metadata to Data Objects Intelligence Community (IC) Metadata Standards for Information Assurance has a defined schema for Information Security Marking (IC-ISM). This has been adopted within the Cross Domain Collaborative Information Environment (CDCIE). Joint C3 Information Exchange Data Model ...... also, vendors, including those on the supporters of XML SPIF, have their own XML Security Label and XML Clearance. My personal preference is that i see benefit in XML SPIF providing an XML based Approach for Access Control Information moving towards a fully XML based Access Control Concept. To me this appears to be a logical move and could potentially drive the focus of XML SPIF more to mainstream. Logical sense may dictate that we support/adopt specifications for Security Labels i.e NATO, however, we still await the released publications (soon we believe!). Research Papers show that they have defined / are defining: - XML Confidentiality Label - Confidentiality Data - Classification, category, policy information - Label Lifecycle Information - Audit trail, label ownership, timestamp - XML Binding Data - Identification - Data Container / Reference - Security Assertion - Processing Rules Much the same as XEP-0258 accomplishes with XMPP, i like the idea of standardising on a mechanism for carrying security labels. This allows for more flexibility with formats already being used, such as RFC 2634 ESS Security Labels and IC-ISM. I also think, over and above a specification for binding a Security Label to the data, there is benefit in dynamically schema determining where a Security Label may be located within data. A standardised approach to this makes sense to me and we could look into defining standard XSD Annotations appInfo to identify where to expect the security label in the data, for example. This would be a very beneficial feature for services, i.e guarding functions that need to act on all security labels within a payload to determine releasability. This would also avoid the need for supporting yet another format such as schematron or some other form of proprietary XSD compilation in order to meet this requirement. There does appear to be a gap in the definition of an XML Security Clearance. This is something we should look at providing a standardisation proposal for. Having defined the Security Policy, Security Label and Clearance in a XML Format, then we have a potential to exploit XML to better gain adoption of the Access Control Concept and Label Translation. We could exploit general purpose access control policy, for example XACML, to represent our Access Control Concept. This has potential and is very interesting to me. With XSLT/XPath we can use templating to support Equivalency Mapping and Label Translation. With whatever approach is deemed viable, if indeed there is a deemed viable approach, it goes without saying ...... interoperability with XML SPIF would have to be assured. Finally, and not before time, this would "drive" us into having to finally fully document the XML SPIF and application of AC with supporting ACI :-) I am very interested in all your comments. Alan