ITU-T X 1142-2006 eXtensible Access Control Markup Language (XACML 2 0) (Study Group 17)《可扩展访问控制标记语言 研究组17》.pdf

1、 International Telecommunication Union ITU-T X.1142TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (06/2006) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security eXtensible Access Control Markup Language (XACML 2.0) ITU-T Recommendation X.1142 ITU-T X-SERIES RE

2、COMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arrangements X.180X.199 OPEN SYSTEMS INTERCONN

3、ECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.270X.279 Layer Managed Objects X.280X.289 Co

4、nformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.600X.629 Efficiency X.630X.639 Quality of s

5、ervice X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.719 Structure of Management Information X.720X.729 Management

6、functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 TELECOMMUNICATION SECURITY X.100

7、0 For further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. X.1142 (06/2006) i ITU-T Recommendation X.1142 eXtensible Access Control Markup Language (XACML 2.0) Summary XACML is an XML vocabulary for expressing access control policies. Access control consists of deciding if

8、a requested resource access should be allowed and enforcing that decision. This Recommendation defines core XACML including syntax of the language, models, context with policy language model, syntax and processing rules. This Recommendation specifies XACML core and hierarchical role based access con

9、trol profile. A multiple resource profile of XACML and a SAML 2.0 profile of XACML are specified. To improve on the security of exchanging XACML based policies, this Recommendation also specifies an XACML XML digital signature profile for securing data. A privacy profile is specified in order to pro

10、vide guidelines for implementers. This Recommendation is technically equivalent and compatible with the OASIS XACML 2.0 standard. Source ITU-T Recommendation X.1142 was approved on 13 June 2006 by ITU-T Study Group 17 (2005-2008) under the ITU-T Recommendation A.8 procedure. ii ITU-T Rec. X.1142 (06

11、/2006) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questio

12、ns and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations o

13、n these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the

14、 expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or appli

15、cability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with t

16、he Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicab

17、ility of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implemen

18、t this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2007 All rights reserved. No part of this publication may be reproduced, by any means

19、 whatsoever, without the prior written permission of ITU. ITU-T Rec. X.1142 (06/2006) iii CONTENTS Page 1 Scope . 1 2 References 1 3 Definitions 2 3.1 Imported definitions 2 3.2 Additional definitions 3 4 Abbreviations 5 5 Conventions 5 6 Overview 6 7 XACML core. 6 7.1 Background . 6 7.2 XACML model

20、s . 10 7.3 XACML context . 11 7.4 Policy syntax 14 7.5 Context syntax 34 7.6 XACML functional requirements . 41 7.7 XACML extensibility points . 49 7.8 Conformance 50 8 Core and hierarchical role based access control (RBAC) profile. 57 8.1 RBAC background 57 8.2 RBAC example. 59 8.3 Assigning and en

21、abling role attributes. 63 8.4 Implementing the RBAC model . 65 8.5 Profile. 67 8.6 Identifiers 67 9 Multiple resource profile of XACML . 68 9.1 Requests for multiple resources 69 9.2 Requests for an entire hierarchy . 71 9.3 New attribute identifiers . 72 9.4 New profile identifiers . 73 10 SAML 2.

22、0 profile of XACML. 73 10.1 Mapping SAML and XACML attributes 75 10.2 Authorization decisions 76 10.3 Policies . 77 10.4 Element 79 10.5 Element 80 10.6 Element 80 11 XML digital signature profile 81 11.1 Use of SAML. 81 11.2 Canonicalization . 81 11.3 Signing schemas . 82 12 Hierarchical resource p

23、rofile of XACML 82 12.1 Representing the identity of a node. 83 12.2 Requesting access to a node 84 12.3 Stating policies that apply to nodes. 87 12.4 New DataType: xpath-expression. 87 12.5 New attribute identifiers . 88 12.6 New profile identifiers . 88 13 Privacy policy profile 89 13.1 Standard a

24、ttributes. 89 13.2 Standard rules: Matching purpose. 89 iv ITU-T Rec. X.1142 (06/2006) Page Annex A Data-types and functions 90 A.1 Introduction . 90 A.2 Data-types . 90 A.3 Functions. 92 Annex B XACML identifiers. 104 B.1 XACML namespaces. 104 B.2 Access subject categories 104 B.3 Data-types . 104

25、B.4 Subject attributes 105 B.5 Resource attributes 106 B.6 Action attributes . 106 B.7 Environment attributes . 106 B.8 Status codes . 107 B.9 Combining algorithms 107 Annex C Combining algorithms . 108 C.1 Deny-overrides. 108 C.2 Ordered-deny-overrides 109 C.3 Permit-overrides . 109 C.4 Ordered-per

26、mit-overrides . 111 C.5 First-applicable. 111 C.6 Only-one-applicable 113 Annex D XACML schema 114 D.1 XACML context schema 114 D.2 Policy schema 116 D.3 XACML SAML protocol schema. 122 D.4 XACML SAML assertion schema 123 Appendix I Security considerations. 124 I.1 Threat model 124 I.2 Safeguards. 1

27、26 Appendix II XACML examples 128 II.1 Example one 128 II.2 Example two 131 Appendix III Example description of higher order bag functions. 145 III.1 Example of higher-order bag functions 145 BIBLIOGRAPHY 150 ITU-T Rec. X.1142 (06/2006) 1 ITU-T Recommendation X.1142 eXtensible Access Control Markup

28、Language (XACML 2.0) 1 Scope This Recommendation defines the eXtensible Access Control Markup Language (XACML) Version 2.0. It defines a common language for expressing security policy. The motivation behind XACML is to develop an XML based policy language that can be used: To provide a method for co

29、mbining individual rules and policies into a single policy set that applies to a particular decision request. To provide a method for flexible definition of the procedure by which rules and policies are combined. To provide a method for dealing with multiple subjects acting in different capacities.

30、To provide a method for basing an authorization decision on attributes of the subject and resource. To provide a method for dealing with multi-valued attributes. To provide a method for basing an authorization decision on the contents of an information resource. To provide a set of logical and mathe

31、matical operators on attributes of the subject, resource and environment. To provide a method for handling a distributed set of policy components, while abstracting the method for locating, retrieving and authenticating the policy components. To provide a method for rapidly identifying the policy th

32、at applies to a given action, based upon the values of attributes of the subjects, resource and action. To provide an abstraction-layer that insulates the policy-writer from the details of the application environment. To provide a method for specifying a set of actions that must be performed in conj

33、unction with policy enforcement. The XACML solutions for each of these requirements are in this Recommendation. In particular, clause 7 develops the core XACML language including XACML models, policy language model, policy syntax and processing rules. Clause 8 develops XACML core and hierarchical Ro

34、le Based Access Control (RBAC) profile. Clause 9 develops XACML multiple resource profile. Clause 10 discusses technologies for securing XACML communication through the development of SAML 2.0 profile of XACML. Clause 11 builds on the foundation of clause 10 by developing an XML digital signature pr

35、ofile for XACML. Clause 12 discusses the combination of XACML profiles as developed in clauses 7 to 11 by developing a hierarchical resource profile of XACML. Privacy issues are discussed in clause 13. 2 References The following Recommendations and other references contain provisions which, through

36、reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision, and parties to agreements based on this Recommendation are encouraged to investigate the possibility

37、of applying the most recent editions of the Recommendations and other references listed below. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. The IETF maintains a list of RFCs, together with those that have been made obsolete by lat

38、er RFCs. W3C maintains a list of the latest Recommendations and other publications. ITU-T Recommendation X.811 (1995) ISO/IEC 10181-2:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Authentication framework. ITU-T Recommendation X.812 (1995) ISO/IEC 10

39、181-3:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Access control framework. ITU-T Recommendation X.1141 (2006), Security Assertion Markup Language (SAML 2.0). IETF RFC 822 (1982), Standard for the Format of ARPA Internet Text Messages. IETF RFC 211

40、9 (1997), Key words for use in RFCs to Indicate Requirement Levels. IETF RFC 2253 (1997), Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names. IETF RFC 2256 (1997), A Summary of the X.500 (96) User Schema for use with LDAPv3. 2 ITU-T Rec. X.1142 (06/2006) I

41、ETF RFC 2396 (1998), Uniform Resource Identifiers (URI): Generic Syntax. IETF RFC 2732 (1999), Format for Literal IPv6 Addresses in URLs. IETF RFC 2821 (2001), Simple Mail Transfer Protocol. IETF RFC 3280 (2002), Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (C

42、RL) Profile. W3C Canonicalization:2002, Exclusive XML Canonicalization Version 1.0, W3C Recommendation, Copyright 18 July 2002 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University), http:/www.w3.org/TR/xm

43、l-exc-c14n/. W3C Datatypes:2001, XML Schema Part 2: Datatypes, W3C Recommendation, Copyright 2 May 2001 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University), http:/www.w3.org/TR/2001/REC-xmlschema-2-2001

44、0502/. W3C Encryption:2002, XML Encryption Syntax and Processing, W3C Recommendation, Copyright 10 December 2002 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University), http:/www.w3.org/TR/2002/REC-xmlenc-

45、core-20021210/. W3C MathML:2003, Mathematical Markup Language (MathML), Version 2.0, W3C Recommendation, Copyright 21 October 2003 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University), http:/www.w3.org/T

46、R/2003/REC-MathML2-20031021/. W3C Signature:2002, XML-Signature Syntax and Processing, W3C Recommendation, Copyright 12 February 2002 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University), http:/www.w3.or

47、g/TR/2002/REC-xmldsig-core-20020212/. W3C XML:2004, Extensible Markup Language (XML) 1.0 (Third Edition), W3C Recommendation, Copyright 4 February 2004 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University

48、), http:/www.w3.org/TR/REC-xml/. W3C XPATH:1999, XML Path Language, Version 1.0, W3C Recommendation, Copyright 16 November 1999 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University), http:/www.w3.org/TR/1

49、999/REC-xpath-19991116. W3C XSLT:1999, XSL Transformations (XSLT) Version 1.0, W3C Recommendation, Copyright 16 November 1999 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University), http:/www.w3.org/TR/1999/REC-xslt-19991116. NOTE The reference to a document within this Recommendation does not give it, as a stand-alone document, th