" rel="home">

Documents and Links

Position Papers | Auxiliary Resources | Patent | Procedure

Please send page corrections here.

Submissions and Position Papers

Slides

• F2F#4
  • XML resource protection use case(pdf,word), by Michiharu Kudo
• F2F#3
  • J2SE use case(.pdf), by Sekhar Vajjhala
  • Boolean Policy Resolution(text), by Ann Anderson
  • Thoughts on Proposal 0.8 (.ppt), by Hal Lockhart
  • Triple-based policy schema proposal, by Simon Godik
• F2F#2
  • What needs to be specified by the XACML model?(.pdf), by Pierangela Samarati
  • Use Case and Requirement(.ppt),(.pdf), by Michiharu Kudo
• F2F#1
  • Slides for F2F#1, Medical Use Case(.ppt), by Fred Moses
  • Slides for F2F#1, Overview of XACL(.zip), by Michiharu Kudo
  • Slides for F2F#1, Preliminary Proposal(.ppt), by Tim Moses

Domain Model

• XACML Domain Model ver.3(.doc), by Gilbert Pilz

Policy Model

• What needs to be specified by the XACML policy model?(.doc)(.htm), by Ernesto Damiani and Pierangela Samarati

Language Proposal

• XACML Policy Proposal (.doc), by Carlisle Adams

Use Cases

• OASIS ebXML Registry-Access Control Related Use Cases(.doc), by Suresh Damodaran
• ebXML Registry Access Control Use Case: Issues(.doc), by Suresh Damodaran
• Medical Use Cases(.doc), by Meg Kistin Anzalone and Fred Moses
• Use Cases for Access control on XML Resources(.doc), by Michiharu Kudo
• XACML DRM Use Case Proposal(.pdf), by Thomas Hardjono
• Online Server Usecases(.doc), by Hal Lockhart
• Financial Regulatory Usecases(.doc), by Simon Blackwell

Others

• Requirements for a Rights Data Dictionary and Rights Expression Language(.doc), by David Parrott
• Report on Reuters Response to MPEG-21 CfR(.ppt), by David Parrott
  Powerpoint slides presented by Dr David Parrott (Reuters) to the XACML Committee on 18 July 2001.

Patents

The following U.S. Patents may be relevant to XACML work:

• 5,715,403 System for controlling the distribution and use of digital works having attached usage rights where the usage rights are defined by a usage rights grammar
• 5,629,980 System for controlling the distribution and use of digital works
• 5, 638, 443 System for Controlling the Distribution and Use of Composite Digital Works

Auxiliary Resources

The following works have substantial overlap with XACML:

• XACL: http://www.trl.ibm.com/projects/xml/xacl/index.htm - contributing to XACML
• XACL: http://alphaworks.ibm.com/tech/xmlsecuritysuite - contributing to XACML
• XrML: http://www.xrml.org/
• DPRL: http://www.oasis-open.org/cover/DPRLmanual-XML2.html(a precursor to XrML)
• ODRL: http://www.odrl.net/

The following external resources have been identified as useful for the TC's work:

• RFC 3060: Policy Core Information Model, Internet Society, Network Working Group
  Brief summary by Bill Parducci,
  RFC3060 presents the object-oriented information model for representing policy information developed jointly in the IETF Policy Framework WG and as extensions to the DMTF CIM. This model defines two hierarchies of object classes: structural classes representing policy information and control of policies, and association classes that indicate how instances of the structural classes are related to each other. Two fundamental design parameters are: (1) the primary use of the declaritive (vs. procedural) policy model; (2) self imposed limitations in richness of expression for ease of implementation and use.
  • Policy Core Information Model -- Version 1 Specification
  • Policy Core LDAP Schema
    It defines a concrete LDAP-schema-based representation of RFC3060's policy model.
  • Strassner-PCIM-3060-DirectoryMapping.ppt
    It describes the details of the mapping from RFC3060 into the said LDAP-schema-based representation described in draft-ietf-policy-core-schema-11.txt.
• RDF: A lightweight ontology system to support knowledge exchange on the Web
• IRTF AAA Architecture  group RFCs:
  • RFC 2903: Generic AAA Architecture
  • RFC 2904: AAA Authorization Framework
  • RFC 2905: AAA Authorization Application Examples
  • RFC 2906: AAA Authorization Requirements
  • A grammar for Policies in a Generic AAA Environment
    In this document a formal model of a language to describe policies is presented in the context of a generic AAA environment. The document introduces the concept of a Driving Policy. A Driving Policy specifies the behavior of an 'AAA' server (composed of a Rule Based Engine, Policy Repository and Application Specific Module). A key aspect of a Driving Policy is that it be dynamic in nature, as even minor changes in the Policy Repository or Application Specific Module may significantly affect the behavior of the server. Identified but not resolved, are the complexities that arise from external policies (e.g. being pushed from the user in a request). Syntactical ambiguities resulting from policy nesting are noted with possible solutions said to be forthcoming.
• CORBA Security Specification
  
  • ftp://ftp.omg.org/pub/docs/formal/98-12-17.pdf
    
  • ftp://ftp.omg.org/pub/docs/formal/98-12-17.ps
    
  • FAQ
• MPEG4 & MPEG21 Requirements docs
  
  • http://www.cselt.it/mpeg/working_documents.htm
• Access Control Models
  
  • Security Model

Academic papers related to the TC's work:

• ``Securing XML Documents,'': E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, P. Samarati, Proc. of the 2000 International Conference on Extending Database Technology (EDBT2000), Konstanz, Germany, March 27-31, 2000
• ``Design and Implementation of an Access Control Processor for XML Documents'': E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, P. Samarati, Computer Networks, vol. 33, no. 1-6, 2000, pp. 59-75; and Proc. of the Ninth International World Wide Web Conference (WWW9), Amsterdam, May 15-19, 2000.
  These are the papers that present our fine-grained access control for XML documents.
• ``Fine-Grained Access Control for SOAP E-Services,'': E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, P. Samarati, Proc. of the Tenth International World Wide Web Conference (WWW10) , Hong Kong, May 1-5, 2001.
  This paper presents an extension to our access control system for regulating access to SOAP e-services. The approach is based on intercepting and filtering requests.
• ``Flexible Support for Multiple Access Control Policies,'': S. Jajodia, P. Samarati, M.L. Sapino, and V.S. Subrahmanian, ACM Transactions on Database Systems, to appear.
  It presents a logic-based language for expressing security policies.
• ``An Algebra for Composing Access Control Policies,'': P. Bonatti, S. De Capitani di Vimercati, and P. Samarati, ACM Transactions on Information and System Security, to appear.
  It presents an algebra for expressing complex policies characterized by merging different components that need to be maintained independently.
• ``Regulating Service Access and Information Release on the Web,'': P. Bonatti, P. Samarati, Proc. 7th ACM Conference on Computer and Communications Security, Athens, Greece, November 1-4, 2000.
  It presents a security model for regulating access in an open distributed environments where clients may not been known apriori to servers. It supports certificate-based authorizations. It also addresses the problem of security policy communication between server and client (as the server needs to tell the clients which certificates may be necessary for an access).
• ``An Access Control Model for Data Archives,'': P. Bonatti, E. Damiani, S. De Capitani di Vimercati, P. Samarati, IFIP-TC11 International Conference on Information Security, Paris, France, June 11-14, 2001.
  It presents an access control for regulating access to data archives. The goal there was to present a solution that was expressive enough to cover the requirements gathered by the partners but at the same time simple. Particular attention was devoted to the language for specifying authorizations. You can see this as an input for use cases (as the solution was based on protection requirements collected from users).
• ``Access Control: Policies, Models, and Mechanisms,'': P. Samarati and S. De Capitani di Vimercati, Foundations of Security Analysis and Design, R. Focardi and R. Gorrieri (eds), LNCS 2172, Springer-Verlag.
  Survey chapter on security policies and models.
• ``XML Document Security Based on Provisional Authorization'': M. Kudo and S. Hada, Proc. 7th ACM Conference on Computer and Communications Security, Athens, Greece, November 1-4, 2000.
  It presents overview of XACL language and a proposed notion of provisional authorization.
• S. Jajodia, M. Kudo, and V. S. Subrahmanian, Provisional Authorization, E-Commerce Security and Privacy, Anup Ghosh, ed., Kluwer Academic Publishers, Boston, 2001, pages 133--159.
  It presents a formal model for provisional authorization based on logic-programming.
• Policies for Network and Distributed Systems Management
• The Policy Framework (brief intro; worth reading)
• Ponder A Policy Language for Distributed Systems Management
• ``The Ponder Specification Language'': N. Damianou, N. Dulay, E. Lupu, M Sloman, Workshop on Policies for Distributed Systems and Networks (Policy2001), HP Labs Bristol, 29-31 Jan 2001.
  Ponder Summary Paper
• ``A Policy Deployment Model for the Ponder Language,'': N. Dulay, E. Lupu, M Sloman, N. Damianou, An extended version of paper in Proc. IEEE/IFIP International Symposium on Integrated Network Management (IM?2001), Seattle, May 2001, IEEE Press.
  Ponder Deployment Paper
• Ponder Language Specification
• Ponder SableCC grammar
• Ponder Software Main Page
• Securing XML Documents with Author-X: E. Bertino, S. Castano, E. Ferrari,IEEE Internet Computing, Maggio/Giugno 2001.
• On specifying security policies for web documents with an XML-based Language: E. Bertino, S. Castano, E. Ferrari, Proc. of SACMAT'2001, ACM Symposium on Access Control Models and Technologies, Fairfax, VA, May 2001.
• E. Bertino, S. Castano, E. Ferrari. Securing XML Documents: the Author-X Project Demonstration, In Proc. of ACM SIGMOD 2001 Conference, Santa Barbara, CA, USA, Maggio 2001.
• E. Bertino, S. Castano, E. Ferrari, M.Mesiti, Specifying and Enforcing Access Control Policies for XML Document Sources, World Wide Web Journal, Baltzer Science Publishers, Vol.3, N.3, 2000.
• E. Bertino, S. Castano, E. Ferrari, M.Mesiti, Author-X: a Java-Based System for XML Data Protection, in Proc. of the 14th Annual IFIP WG. 11.3 Working Conference on Database Security, Schoorl (near Amsterdam), The Netherlands, August 2000.
• E. Bertino, S. Castano, E. Ferrari, M. Mesiti, Controlled Access and Dissemination of XML Documents, in Proc. of ACM CIKM'99 2nd Workshop on Web Information and Data Management (WIDM'99), Kansas City, Missouri, USA, November 1999.
• A. Gabillon, E. Bruno, Regulating Access to XML documents, Fifteenth Annual IFIP WG 11.3 Working Conference on Database Security. Niagara on the Lake, Ontario, Canada July 15-18, 2001.

Procedure

TC members should note the following procedure for publishing documents to the repository:

1. If your submission is covered by the document guidelines, try to ensure that it follows the guidelines (especially regarding file format and file name).

2. Send mail to the xacml-editors list, attaching the submission and indicating the list(s) to which the eventual URL(s) should be published.

   1. If the submission needs further work with respect to the guidelines, and the folks on the xacml-editors list can't perform this work themselves, they'll return it to you with their requests.

   2. If the submission is (or can be made) ready to go, the editors will put it in the repository and publish the URL.