[xmlspif] Re: A XML Based Access Control Concept
- From: "Piers Chivers" <Piers.Chivers@xxxxxxxxxxxxxxx>
- To: <xmlspif@xxxxxxxxxxxxx>
- Date: Mon, 25 Oct 2010 11:43:27 +0100
Hi Alan,
{Please note: all following comments are my personal view]
This email has a number of interesting suggestions. I will cut to the
chase though.
As a minimum we must have an open XML definition of a security label.
As you state below, a number of initiatives have started this. However,
organisations like NATO, quite rightly, must follow correct processes to
publish proposals and standards. I therefore think that this community
could speed things along by publishing an initial draft. If that draft
could be "somehow" like NATO's then all the better J.
So, I propose that the next major output from this forum should be a XML
security label definition that references the XML Spif of course.
Your other ideas below will follow from this (and should be considered
for the label definition) but we should walk before we run.
Thoughts?
Piers
PS As a start for the above:
1. We should consider what is the point of a label?
2. We should realise that more than just Defence orgs use labels
3. We must not just "XMLify" the ASN.1 label definition.
4. Textual labels are a bit of a pain. A decent transformation
mechanism to/from text and XML versions of a label are essential.
From: xmlspif-bounce@xxxxxxxxxxxxx [mailto:xmlspif-bounce@xxxxxxxxxxxxx]
On Behalf Of Alan Ross (SMHS)
Sent: 22 October 2010 12:58
To: xmlspif@xxxxxxxxxxxxx
Subject: [xmlspif] A XML Based Access Control Concept
Now that the XML SPIF has been published and it has had a fair purchase
both within the supporting members COTS products, and within a number of
defence, intelligence and exercise domains, i would like to gain the
list's consensus on the following.
With much the same philosophy of why move the SPIF to an Open XML
Standard, do we believe there is a requirement, an interest, to look at
the XML SPIF standardising, in XML, Access Control Information such as a
Security Label and Clearance.
Firstly, is this somewhere that the members of this list, supporters of
XML SPIF, believe it should go?
Secondly, if that answer is yes, should we consider standardising a XML
Security Label ourselves, look to adopt or something in between?
Should we consider on standardising on XML authorisation privileges?
Has anyone come across requirements that would benefit from having XML
SPIF take some responsibility in supporting this?
Over the last 24 months i have deployed the XML SPIF on a number of
programmes. In order to provide the Access Control Requirements with
Clearance and Security Labels as the Access Control Information,
regardless of the service i.e S/MIME Medium Grade Email, Web Services,
Instant Messaging and Group Chat, Document Sharing, the Security Label
Format has been compliant to RFC 2634 Enhanced Security Services for
S/MIME Security Label and the Clearance has been as defined in X.501
Clearance attribute. Now to me this has been the right way to go, as
currently they are Defined Open Standards and have support defined
within Access Control Standards.
However, a number of programmes have researched and developed XML
Security Labels each with their own merit and own specific purpose (not
for immediate discussion!). Such programmes, to name a few, being:
NATO Research Task Group on XML in Cross Domain Security Solutions where
they have proposed an XML Confidentiality Label and Related Binding of
Metadata to Data Objects
Intelligence Community (IC) Metadata Standards for Information Assurance
has a defined schema for Information Security Marking (IC-ISM). This has
been adopted within the Cross Domain Collaborative Information
Environment (CDCIE).
Joint C3 Information Exchange Data Model
...... also, vendors, including those on the supporters of XML SPIF,
have their own XML Security Label and XML Clearance.
My personal preference is that i see benefit in XML SPIF providing an
XML based Approach for Access Control Information moving towards a fully
XML based Access Control Concept. To me this appears to be a logical
move and could potentially drive the focus of XML SPIF more to
mainstream.
Logical sense may dictate that we support/adopt specifications for
Security Labels i.e NATO, however, we still await the released
publications (soon we believe!). Research Papers show that they have
defined / are defining:
* XML Confidentiality Label
* Confidentiality Data - Classification, category, policy
information
* Label Lifecycle Information - Audit trail, label
ownership, timestamp
* XML Binding Data
* Identification
* Data Container / Reference
* Security Assertion
* Processing Rules
Much the same as XEP-0258 accomplishes with XMPP, i like the idea of
standardising on a mechanism for carrying security labels. This allows
for more flexibility with formats already being used, such as RFC 2634
ESS Security Labels and IC-ISM.
I also think, over and above a specification for binding a Security
Label to the data, there is benefit in dynamically schema determining
where a Security Label may be located within data. A standardised
approach to this makes sense to me and we could look into defining
standard XSD Annotations appInfo to identify where to expect the
security label in the data, for example. This would be a very beneficial
feature for services, i.e guarding functions that need to act on all
security labels within a payload to determine releasability. This would
also avoid the need for supporting yet another format such as schematron
or some other form of proprietary XSD compilation in order to meet this
requirement.
There does appear to be a gap in the definition of an XML Security
Clearance. This is something we should look at providing a
standardisation proposal for.
Having defined the Security Policy, Security Label and Clearance in a
XML Format, then we have a potential to exploit XML to better gain
adoption of the Access Control Concept and Label Translation. We could
exploit general purpose access control policy, for example XACML, to
represent our Access Control Concept. This has potential and is very
interesting to me. With XSLT/XPath we can use templating to support
Equivalency Mapping and Label Translation.
With whatever approach is deemed viable, if indeed there is a deemed
viable approach, it goes without saying ...... interoperability with XML
SPIF would have to be assured.
Finally, and not before time, this would "drive" us into having to
finally fully document the XML SPIF and application of AC with
supporting ACI :-)
I am very interested in all your comments.
Alan
Other related posts:
