1、 International Telecommunication Union ITU-T X.1144TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (10/2013) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Web security eXtensible Access Control Markup Language (XACML 3.0) Recommendation ITU-T X.114
2、4 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699
3、 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND
4、SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X
5、.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.15
6、39 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1144 (10/2
7、013) i Recommendation ITU-T X.1144 eXtensible Access Control Markup Language (XACML 3.0) Summary Recommendation ITU-T X.1144 develops extensible access control markup language (XACML 3.0) which is an updated version of Recommendation ITU-T X.1142 (which is equivalent to OASIS XACML 2.0 (06/2006). Th
8、is Recommendation defines core XACML including syntax of the language, models, context with policy language model, syntax and processing rules. This Recommendation is technically equivalent and compatible with the OASIS XACML 3.0 standard. History Edition Recommendation Approval Study Group Unique I
9、D*1.0 ITU-T X.1144 2013-10-14 17 11.1002/1000/12044 _ *To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1144 (10/2013) FOREWOR
10、D The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying te
11、chnical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups whic
12、h, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and
13、IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to
14、ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words
15、does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concer
16、ning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by pat
17、ents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2014 All rights reserved. No part of this publ
18、ication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1144 (10/2013) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 3 3.1 Terms defined elsewhere 3 3.2 Terms defined in this Recommendation . 4 4 Abbreviations and acronyms 6
19、5 Conventions 7 6 Overview 7 6.1 Requirements 8 6.2 Rule and policy combining . 8 6.3 Combining algorithms 9 6.4 Multiple subjects 9 6.5 Policies based on subject and resource attributes . 9 6.6 Multi-valued attributes . 10 6.7 Policies based on resource contents . 10 6.8 Operators 10 6.9 Policy dis
20、tribution 11 6.10 Policy indexing . 11 6.11 Abstraction layer 12 6.12 Actions performed in conjunction with enforcement . 12 6.13 Supplemental information about a decision . 12 7 XACML models . 12 7.1 Data-flow model . 12 7.2 XACML context . 14 7.3 Policy language model . 14 8 Syntax . 18 8.1 Elemen
21、t 18 8.2 Element . 21 8.3 Element . 21 8.4 Element 21 8.5 Element . 22 8.6 Element . 22 8.7 Element 22 8.8 Element 23 8.9 Element . 23 8.10 Element 24 8.11 Element . 24 iv Rec. ITU-T X.1144 (10/2013) Page 8.12 Simple type VersionType . 24 8.13 Simple type VersionMatchType . 25 8.14 Element . 25 8.15
22、 Element . 27 8.16 Element . 27 8.17 Element . 28 8.18 Element 28 8.19 Element . 29 8.20 Element 29 8.21 Element 30 8.22 Simple type EffectType 31 8.23 Element . 31 8.24 Element . 32 8.25 Element . 32 8.26 Element . 32 8.27 Element . 32 8.28 Element . 33 8.29 Element . 33 8.30 Element 34 8.31 Elemen
23、t . 35 8.32 Element . 36 8.33 Element 36 8.34 Element 36 8.35 Element 37 8.36 Element 37 8.37 Element . 38 8.38 Element 38 8.39 Element 38 8.40 Element 39 8.41 Element 40 8.42 Element 40 8.43 Element . 41 8.44 Element . 42 8.45 Element . 42 8.46 Element . 43 8.47 Element 43 8.48 Element . 44 8.49 El
24、ement 45 8.50 Element 45 8.51 Element 45 Rec. ITU-T X.1144 (10/2013) v Page 8.52 Element . 46 8.53 Element . 46 8.54 Element . 46 8.55 Element . 47 8.56 Element . 47 8.57 Element 47 8.58 Element 48 9 XPath 2.0 definitions 49 10 Functional requirements . 50 10.1 Unicode issues 50 10.2 Policy enforcem
25、ent point 51 10.3 Attribute evaluation 52 10.4 Expression evaluation . 55 10.5 Arithmetic evaluation . 55 10.6 Match evaluation 55 10.7 Target evaluation 56 10.8 VariableReference evaluation 57 10.9 Condition evaluation 58 10.10 Extended “indeterminate“ . 58 10.11 Rule evaluation . 58 10.12 Policy e
26、valuation 58 10.13 Policy set evaluation . 59 10.14 Policy and policy set value for i “Indeterminate“ target . 59 10.15 PolicySetIdReference and PolicyIdReference evaluation 60 10.16 Hierarchical resources 60 10.17 Authorization decision 60 10.18 Obligations and advice . 60 10.19 Exception handling
27、. 61 10.20 Identifier equality . 61 11 Conformance 63 Annex A Data-types and functions . 72 A.1 Introduction 72 A.2 Data-types . 72 A.3 Functions 74 A.4 Functions, data-types, attributes and algorithms planned for deprecation . 97 Annex B XACML identifiers 100 B.1 XACML namespaces 100 B.2 Attribute
28、categories 100 B.3 Data-types . 101 vi Rec. ITU-T X.1144 (10/2013) Page B.4 Subject attributes 101 B.5 Resource attributes . 102 B.6 Action attributes . 102 B.7 Environment attributes . 103 B.8 Status codes 103 B.9 Combining algorithms 103 Annex C Combining algorithms . 106 C.1 Extended “Indetermina
29、te“ values . 106 C.2 Deny-overrides . 106 C.3 Ordered-deny-overrides 108 C.4 Permit-overrides . 108 C.5 Ordered-permit-overrides . 110 C.6 Deny-unless-permit 110 C.7 Permit-unless-deny . 111 C.8 First-applicable . 111 C.9 Only-one-applicable . 113 C.10 Legacy Deny-overrides 114 C.11 Legacy Ordered-d
30、eny-overrides . 116 C.12 Legacy Permit-overrides 116 C.13 Legacy Ordered-permit-overrides 118 Appendix I Example . 119 I.1 Example one . 119 I.2 Example two . 122 Appendix II XACML extensibility points 137 II.1 Extensible XML attribute types 137 II.2 Structured attributes 137 Appendix III Security a
31、nd privacy considerations 138 III.1 Threat model . 138 III.2 Safeguards 140 III.3 Unicode security issues 143 III.4 Identifier equality . 143 Appendix IV Schema 144 Bibliography. 152 Rec. ITU-T X.1144 (10/2013) 1 Recommendation ITU-T X.1144 eXtensible Access Control Markup Language (XACML 3.0) 1 Sco
32、pe This Recommendation defines the eXtensible Access Control Markup Language (XACML) Version 3.0. It defines a common language for expressing security policy. The motivation behind XACML is to develop an XML based policy language that can be used: To provide a method for flexible definition of the p
33、rocedure by which rules and policies are combined. To provide a method for dealing with multiple subjects acting in different capacities. To provide a method for basing an authorization decision on attributes of the subject and resource. To provide a method for dealing with multi-valued attributes.
34、To provide a method for basing an authorization decision on the contents of an information resource. To provide a set of logical and mathematical operators on attributes of the subject, resource and environment. To provide a method for handling a distributed set of policy components, while abstracti
35、ng the method for locating, retrieving and authenticating the policy components. To provide a method for rapidly identifying the policy that applies to a given action, based upon the values of attributes of the subject, resource and action. To provide an abstraction-layer that insulates the policy-w
36、riter from the details of the application environment. To provide a method for specifying a set of actions that must be performed in conjunction with policy enforcement. The core XACML solutions are included in this Recommendation. Clause 7 develops XACML models. Clause 8 develops policy language. C
37、lause 10 develops policy processing rules. Clause 11 develops guidelines for implementers. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the edi
38、tions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently val
39、id ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.500 Recommendation ITU-T X.500 (2012) | ISO/IEC 9594-1:2014, Information technology Open Systems Interconnectio
40、n The Directory: Overview of concepts, models and services. ITU-T X.509 Recommendation ITU-T X.509 (2012) | ISO/IEC 9594-8:2014, Information technology Open Systems Interconnection The Directory: Public key and attribute certificate frameworks. 2 Rec. ITU-T X.1144 (10/2013) ITU-T X.690 Recommendatio
41、n ITU-T X.690 (2008) | ISO/IEC 8825-1:2008, Information technology ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). ITU-T X.811 Recommendation ITU-T X.811 (1995) ISO/IEC 10181-2:1996, Information technology Open
42、 Systems Interconnection Security frameworks for open systems: Authentication framework. ITU-T X.812 Recommendation ITU-T X.812 (1995) ISO/IEC 10181-3:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Access control framework. IETF RFC 2119 IETF RFC 2119
43、 (1997), Key words for use in RFCs to Indicate Requirement Levels. IETF RFC 2256 IETF RFC 2256 (1997), A summary of the X500(96) User Schema for use with LDAPv3. IETF RFC 2732 IETF RFC 2732 (1999), Format for Literal IPv6 Addresses in URLs. IETF RFC 2798 IETF RFC 2798 (2000), Definition of the inetO
44、rgPerson LDAP Object Class. IETF RFC 2822 IETF RFC 2822 (2001), Internet Message Format. IETF RFC 3986 IETF RFC 3986 (2005), Uniform Resource Identifiers (URI): Generic Syntax. IETF RFC 4514 IETF RFC 4514 (2006), Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguishe
45、d Names. IETF RFC 4949 IETF RFC 4949 (2007), Internet Security Glossary, Version 2. IETF RFC 5280 IETF RFC 5280 (2008), Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. IETF RFC 5321 IETF RFC 5321 (2008), Simple Mail Transfer Protocol. IEEE 754 IEEE
46、 754 (1985), IEEE Standard for Binary Floating-Point Arithmetic. IEEE 854 IEEE 854 (1987), IEEE Standard for Radix-Independent Floating-Point Arithmetic. W3C DS W3C Recommendation (10 June 2008), XML-Signature Syntax and Processing. W3C EXC-C14N W3C Recommendation (18 July 2002), Exclusive XML Canon
47、icalization, Version 1.0. W3C Glossary W3C Glossary and Dictionary (2003), Glossary and Dictionary. Rec. ITU-T X.1144 (10/2013) 3 W3C MathML W3C Recommendation (21 October 2003), Mathematical Markup Language (MathML), Version 2.0. W3C Technology W3C XMLTechnology. W3C XF W3C Recommendation (23 Janua
48、ry 2007), XQuery 1.0 and XPath 2.0 Functions and Operators. W3C XML W3C Recommendation (26 November 2008), Extensible Markup Language (XML) 1.0 (Fifth Edition). W3C XMLid W3C Recommendation (9 September 2005), xml:id Version 1.0. W3C XS W3C Recommendation (28 October 2004), XML Schema, parts 1 and 2
49、. and W3C XPath W3C Recommendation (16 November 1999), XML Path Language (XPath), Version 1.0. W3C XPathFunc W3C Recommendation (14 December 2010), XQuery 1.0 and XPath 2.0 Functions and Operators (Second Edition). 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 access IETF RFC 4949
