Independent Submission                                        R. Sinnema
Request for Comments: 7061                                      E. Wilde
Category: Informational                                  EMC Corporation
ISSN: 2070-1721                                            November 2013
        
Independent Submission                                        R. Sinnema
Request for Comments: 7061                                      E. Wilde
Category: Informational                                  EMC Corporation
ISSN: 2070-1721                                            November 2013
        

eXtensible Access Control Markup Language (XACML) XML Media Type

可扩展访问控制标记语言(XACML)XML媒体类型

Abstract

摘要

This specification registers an XML-based media type for the eXtensible Access Control Markup Language (XACML).

此规范为可扩展访问控制标记语言(XACML)注册基于XML的媒体类型。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7061.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7061.

Copyright Notice

版权公告

Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2013 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2
   2.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 2
     2.1.  XACML Media Type application/xacml+xml  . . . . . . . . . . 2
   3.  Security Considerations . . . . . . . . . . . . . . . . . . . . 5
   4.  Normative References  . . . . . . . . . . . . . . . . . . . . . 5
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . . . 6
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2
   2.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 2
     2.1.  XACML Media Type application/xacml+xml  . . . . . . . . . . 2
   3.  Security Considerations . . . . . . . . . . . . . . . . . . . . 5
   4.  Normative References  . . . . . . . . . . . . . . . . . . . . . 5
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . . . 6
        
1. Introduction
1. 介绍

The eXtensible Access Control Markup Language (XACML) [XACML-3] defines an architecture and a language for access control (authorization). The language consists of requests, responses, and policies. Clients send a request to a server to query whether a given action should be allowed. The server evaluates the request against the available policies and returns a response. The policies implement the organization's access control requirements.

可扩展访问控制标记语言(XACML)[XACML-3]定义了访问控制(授权)的体系结构和语言。该语言由请求、响应和策略组成。客户端向服务器发送请求,询问是否应允许给定的操作。服务器根据可用策略评估请求并返回响应。这些策略实现了组织的访问控制要求。

2. IANA Considerations
2. IANA考虑

This specification details the registry of an XML-based media type for the eXtensible Access Control Markup Language (XACML) that has been registered with the Internet Assigned Numbers Authority (IANA) following the "Media Type Specifications and Registration Procedures" [RFC6838]. The XACML media type represents an XACML request, response, or policy in the XML-based format defined by the core XACML specification [XACML-3].

本规范详细说明了可扩展访问控制标记语言(XACML)基于XML的媒体类型的注册表,该语言已按照“媒体类型规范和注册程序”向互联网分配号码管理局(IANA)注册[RFC6838]。XACML媒体类型表示核心XACML规范[XACML-3]定义的基于XML的格式的XACML请求、响应或策略。

2.1. XACML Media Type application/xacml+xml
2.1. XACML媒体类型应用程序/XACML+xml

This specification details the registration of an XML-based media type for the eXtensible Access Control Markup Language (XACML).

本规范详细说明了可扩展访问控制标记语言(XACML)基于XML的媒体类型的注册。

Media Type Name: application

媒体类型名称:应用程序

Subtype Name: xacml+xml

子类型名称:xacml+xml

Required Parameters: none

所需参数:无

Optional Parameters:

可选参数:

charset: The charset parameter is the same as the charset parameter of application/xml [RFC3023], including the same default (see Section 3.2 of RFC 3023).

charset:charset参数与application/xml[RFC3023]的charset参数相同,包括相同的默认值(参见RFC 3023的第3.2节)。

version: The version parameter indicates the version of the XACML specification. It can be used for content negotiation when dealing with clients and servers that support multiple XACML versions. Its range is the range of published XACML versions. As of this writing, that is 1.0 [XACML-1], 1.1 [XACML-1.1], 2.0 [XACML-2], and 3.0 [XACML-3]. These and future version identifiers must follow the Organization for the Advancement of Structured Information Standards (OASIS) patterns for versions [OASIS-Version]. If this parameter is not specified by the client, the server is free to return any version it deems fit. If a client cannot or does not want to deal with that, it should explicitly specify a version.

version:version参数表示XACML规范的版本。当处理支持多个XACML版本的客户端和服务器时,它可以用于内容协商。其范围是已发布XACML版本的范围。在撰写本文时,即1.0[XACML-1]、1.1[XACML-1.1]、2.0[XACML-2]和3.0[XACML-3]。这些和未来的版本标识符必须遵循结构化信息标准促进组织(OASIS)版本模式[OASIS版本]。如果客户端未指定此参数,则服务器可以自由返回其认为合适的任何版本。如果客户机不能或不想处理此问题,则应明确指定版本。

Encoding Considerations: Same as for application/xml [RFC3023].

编码注意事项:与application/xml[RFC3023]相同。

Security Considerations:

安全考虑:

Per their specification, objects of type application/xacml+xml do not contain executable content. However, these objects are XML-based, and thus they have all of the general security considerations presented in Section 10 of RFC 3023 [RFC3023].

根据其规范,类型为application/xacml+xml的对象不包含可执行内容。但是,这些对象是基于XML的,因此它们具有RFC 3023[RFC3023]第10节中介绍的所有一般安全注意事项。

XACML [XACML-3] contains information about whose integrity and authenticity is important -- identity provider and service provider public keys and endpoint addresses, for example. Sections 9.2.1 "Authentication" and 9.2.4 "Policy Integrity" in XACML [XACML-3] describe requirements and considerations for such authentication and integrity protection.

XACML[XACML-3]包含关于谁的完整性和真实性很重要的信息——例如,身份提供者和服务提供者公钥以及端点地址。XACML[XACML-3]中的第9.2.1节“身份验证”和第9.2.4节“策略完整性”描述了此类身份验证和完整性保护的要求和注意事项。

To counter potential issues, the publisher may sign objects of type application/xacml+xml. Any such signature should be verified -- both as a valid signature and as being the signature of the publisher -- by the recipient of the data. The XACML v3.0 XML Digital Signature Profile [XACML-3-DSig] describes how to use XML-based digital signatures with XACML.

为了应对潜在问题,发布者可以对类型为application/xacml+xml的对象进行签名。任何这样的签名都应该由数据的接收者验证——既是有效的签名,也是发布者的签名。XACML v3.0 XML数字签名配置文件[XACML-3-DSig]描述了如何在XACML中使用基于XML的数字签名。

Additionally, various possible publication protocols, for example, HTTPS, offer means for ensuring the authenticity of the publishing party and for protecting the policy in transit.

此外,各种可能的发布协议(例如HTTPS)提供了确保发布方真实性和保护传输中的策略的方法。

Interoperability Considerations: Different versions of XACML use different XML namespace URIs:

互操作性注意事项:不同版本的XACML使用不同的XML命名空间URI:

      *  1.0 and 1.1 use the urn:oasis:names:tc:xacml:1.0:policy XML
         namespace URI for policies and the
         urn:oasis:names:tc:xacml:1.0:context XML namespace URI for
         requests and responses
        
      *  1.0 and 1.1 use the urn:oasis:names:tc:xacml:1.0:policy XML
         namespace URI for policies and the
         urn:oasis:names:tc:xacml:1.0:context XML namespace URI for
         requests and responses
        
      *  2.0 uses the urn:oasis:names:tc:xacml:2.0:policy XML namespace
         URI for policies and the urn:oasis:names:tc:xacml:2.0:context
         XML namespace URI for requests and responses
        
      *  2.0 uses the urn:oasis:names:tc:xacml:2.0:policy XML namespace
         URI for policies and the urn:oasis:names:tc:xacml:2.0:context
         XML namespace URI for requests and responses
        
      *  3.0 uses the urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 XML
         namespace URI for policies, requests, and responses
        
      *  3.0 uses the urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 XML
         namespace URI for policies, requests, and responses
        

Signed XACML has a wrapping Security Assertion Markup Language (SAML) 2.0 assertion [SAML-2], which uses the urn:oasis:names:tc:SAML:2.0:assertion namespace URI. Interoperability with SAML is defined by the SAML 2.0 Profile of XACML [XACML-3-SAML] for all versions of XACML.

签名XACML有一个包装安全断言标记语言(SAML)2.0断言[SAML-2],它使用urn:oasis:names:tc:SAML:2.0:Assertion命名空间URI。对于所有版本的XACML,XACML[XACML-3-SAML]的SAML2.0概要文件定义了与SAML的互操作性。

Applications That Use This Media Type:

使用此媒体类型的应用程序:

Potentially, any application implementing or using XACML, as well as those applications implementing or using specifications based on XACML. In particular, applications using the Representational State Transfer (REST) Profile [XACML-REST] can benefit from this media type.

任何实现或使用XACML的应用程序,以及那些实现或使用基于XACML的规范的应用程序,都是潜在的。特别是,使用代表性状态传输(REST)配置文件[XACML-REST]的应用程序可以受益于这种媒体类型。

Magic Number(s):

幻数:

In general, this is the same as for application/xml [RFC3023]. In particular, the XML document element of the returned object will be one of xacml:Policy, xacml:PolicySet, context:Request, or context:Response. The xacml and context namespace prefixes bind to the respective namespace URIs for the various versions of XACML as follows:

一般来说,这与application/xml[RFC3023]相同。特别是,返回对象的XML文档元素将是xacml:Policy、xacml:PolicySet、context:Request或context:Response中的一个。xacml和上下文命名空间前缀绑定到各种版本xacml的相应命名空间URI,如下所示:

      *  1.0 and 1.1: The xacml prefix maps to
         urn:oasis:names:tc:xacml:1.0:policy; the context prefix maps to
         urn:oasis:names:tc:xacml:1.0:context
        
      *  1.0 and 1.1: The xacml prefix maps to
         urn:oasis:names:tc:xacml:1.0:policy; the context prefix maps to
         urn:oasis:names:tc:xacml:1.0:context
        
      *  2.0: The xacml prefix maps to
         urn:oasis:names:tc:xacml:2.0:policy; the context prefix maps to
         urn:oasis:names:tc:xacml:2.0:context
        
      *  2.0: The xacml prefix maps to
         urn:oasis:names:tc:xacml:2.0:policy; the context prefix maps to
         urn:oasis:names:tc:xacml:2.0:context
        
      *  3.0: Both the xacml and context prefixes map to the namespace
         URI urn:oasis:names:tc:xacml:3.0:core:schema:wd-17
        
      *  3.0: Both the xacml and context prefixes map to the namespace
         URI urn:oasis:names:tc:xacml:3.0:core:schema:wd-17
        

For signed XACML [XACML-3-DSig], the XML document element is saml: Assertion, where the saml prefix maps to the SAML 2.0 namespace URI urn:oasis:names:tc:SAML:2.0:assertion [SAML-2].

对于签名的XACML[XACML-3-DSig],XML文档元素是saml:Assertion,其中saml前缀映射到saml2.0命名空间URI urn:oasis:names:tc:saml:2.0:Assertion[saml-2]。

File Extension(s): none

文件扩展名:无

Macintosh File Type Code(s): none

Macintosh文件类型代码:无

Person & Email Address to Contact for Further Information:

联系人和电子邮件地址,以获取更多信息:

This registration is made on behalf of the OASIS eXtensible Access Control Markup Language Technical Committee (XACMLTC). Please refer to the XACMLTC website for current information on committee chairperson(s) and their contact addresses: http://www.oasis-open.org/committees/xacml/. Committee members should submit comments and potential errors to the xacml@lists.oasis-open.org list. Others should submit them by filling out the web form located at http://www.oasis-open.org/ committees/comments/form.php?wg_abbrev=xacml.

此注册代表OASIS可扩展访问控制标记语言技术委员会(XACMLTC)进行。有关委员会主席及其联系地址的最新信息,请访问XACMLTC网站:http://www.oasis-open.org/committees/xacml/. 委员会成员应向委员会提交意见和潜在错误xacml@lists.oasis-打开.org列表。其他人应通过填写位于http://www.oasis-open.org/ 委员会/评论/form.php?wg_abbrev=xacml。

Additionally, the XACML developer community email distribution list, xacml-dev@lists.oasis-open.org, may be employed to discuss usage of the application/xacml+xml MIME media type. The xacml-dev mailing list is publicly archived here: http://www.oasis-open.org/archives/xacml-dev/. To post to the xacml-dev mailing list, one must subscribe to it. To subscribe, visit the OASIS mailing list page at http://www.oasis-open.org/mlmanage/.

此外,XACML开发人员社区电子邮件分发列表XACML-dev@lists.oasis-org,可以用来讨论application/xacml+xml MIME媒体类型的用法。xacml开发人员邮件列表在此处公开存档:http://www.oasis-open.org/archives/xacml-dev/. 要发布到xacml开发人员邮件列表,必须订阅它。要订阅,请访问OASIS邮件列表页面http://www.oasis-open.org/mlmanage/.

Intended Usage: common

预期用途:普通

Author/Change Controller:

作者/变更控制员:

The XACML specification sets are a work product of the OASIS eXtensible Access Control Markup Language Technical Committee (XACMLTC). OASIS and the XACMLTC have change control over the XACML specification sets.

XACML规范集是OASIS可扩展访问控制标记语言技术委员会(XACMLTC)的工作产品。OASIS和XACMLTC对XACML规范集具有变更控制权。

3. Security Considerations
3. 安全考虑

The security considerations for this specification are described in Section 2.1 of the media type registration.

本规范的安全注意事项在介质类型注册的第2.1节中描述。

4. Normative References
4. 规范性引用文件

[OASIS-Version] Organization for the Advancement of Structured Information Standards, "OASIS Naming Directives Version 1.3", December 2012, <http://docs.oasis-open.org/specGuidelines/ ndr/namingDirectives.html#Version>.

[OASIS版本]结构化信息标准促进组织,“OASIS命名指令1.3版”,2012年12月<http://docs.oasis-open.org/specGuidelines/ ndr/namingdirections.html#Version>。

[RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media Types", RFC 3023, January 2001.

[RFC3023]Murata,M.,St.Laurent,S.,和D.Kohn,“XML媒体类型”,RFC 3023,2001年1月。

[RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type Specifications and Registration Procedures", BCP 13, RFC 6838, January 2013.

[RFC6838]Freed,N.,Klensin,J.和T.Hansen,“媒体类型规范和注册程序”,BCP 13,RFC 6838,2013年1月。

[SAML-2] Organization for the Advancement of Structured Information Standards, "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0", OASIS Standard, March 2005, <http://docs.oasis-open.org/ security/saml/v2.0/saml-core-2.0-os.pdf>.

[SAML-2]结构化信息标准促进组织,“OASIS安全断言标记语言(SAML)V2.0的断言和协议”,OASIS标准,2005年3月<http://docs.oasis-open.org/ security/saml/v2.0/saml-core-2.0-os.pdf>。

[XACML-1] Organization for the Advancement of Structured Information Standards, "eXtensible Access Control Markup Language (XACML) Version 1.0", OASIS Standard, February 2003, <http://www.oasis-open.org/committees/download.php/2406/ oasis-xacml-1.0.pdf>.

[XACML-1]结构化信息标准促进组织,“可扩展访问控制标记语言(XACML)1.0版”,OASIS标准,2003年2月<http://www.oasis-open.org/committees/download.php/2406/ oasis-xacml-1.0.pdf>。

[XACML-1.1] Organization for the Advancement of Structured Information Standards, "eXtensible Access Control Markup Language (XACML) Version 1.1", OASIS Committee Specification, August 2003, <http://www.oasis-open.org/committees/xacml/ repository/cs-xacml-specification-1.1.pdf>.

[XACML-1.1]结构化信息标准促进组织,“可扩展访问控制标记语言(XACML)1.1版”,OASIS委员会规范,2003年8月<http://www.oasis-open.org/committees/xacml/ repository/cs-xacml-specification-1.1.pdf>。

[XACML-2] Organization for the Advancement of Structured Information Standards, "eXtensible Access Control Markup Language (XACML) Version 2.0", OASIS Standard, February 2005, <http://docs.oasis-open.org/xacml/2.0/ access_control-xacml-2.0-core-spec-os.pdf>.

[XACML-2]结构化信息标准促进组织,“可扩展访问控制标记语言(XACML)2.0版”,OASIS标准,2005年2月<http://docs.oasis-open.org/xacml/2.0/ 访问\u control-xacml-2.0-core-spec-os.pdf>。

[XACML-3] Organization for the Advancement of Structured Information Standards, "eXtensible Access Control Markup Language (XACML) Version 3.0", OASIS Standard, January 2013, <http://docs.oasis-open.org/xacml/3.0/ xacml-3.0-core-spec-os-en.pdf>.

[XACML-3]结构化信息标准促进组织,“可扩展访问控制标记语言(XACML)3.0版”,OASIS标准,2013年1月<http://docs.oasis-open.org/xacml/3.0/ xacml-3.0-core-spec-os-en.pdf>。

[XACML-3-DSig] Organization for the Advancement of Structured Information Standards, "XACML v3.0 XML Digital Signature Profile Version 1.0", OASIS Committee Specification 01, August 2010, <http://docs.oasis-open.org/xacml/3.0/ xacml-3.0-dsig-v1-spec-cs-01-en.pdf>.

[XACML-3-DSig]结构化信息标准促进组织,“XACML v3.0 XML数字签名配置文件1.0版”,OASIS委员会规范01,2010年8月<http://docs.oasis-open.org/xacml/3.0/ xacml-3.0-dsig-v1-spec-cs-01-en.pdf>。

[XACML-3-SAML] Organization for the Advancement of Structured Information Standards, "SAML 2.0 Profile of XACML, Version 2.0", OASIS Committee Specification 01, August 2010, <http://docs.oasis-open.org/xacml/3.0/ xacml-profile-saml2.0-v2-spec-cs-01-en.pdf>.

[XACML-3-SAML]结构化信息标准促进组织,“XACML的SAML 2.0概要,2.0版”,OASIS委员会规范01,2010年8月<http://docs.oasis-open.org/xacml/3.0/ xacml-profile-saml2.0-v2-spec-cs-01-en.pdf>。

[XACML-REST] Organization for the Advancement of Structured Information Standards, "REST Profile of XACML v3.0 Version 1.0", OASIS Committee Specification 01, April 2013, <http://docs.oasis-open.org/xacml/xacml-rest/v1.0/ xacml-rest-v1.0.pdf>.

[XACML-REST]结构化信息标准促进组织,“XACML v3.0版本1.0的REST概要”,OASIS委员会规范01,2013年4月<http://docs.oasis-open.org/xacml/xacml-rest/v1.0/ xacml-rest-v1.0.pdf>。

Appendix A. Acknowledgements
附录A.确认书

The following individuals have participated in the creation of this specification and are gratefully acknowledged: Oscar Koeroo (Nikhef), Erik Rissanen (Axiomatics), and Jonathan Robie (EMC).

以下人员参与了本规范的创建,并得到了衷心的感谢:Oscar Koeroo(Nikhef)、Erik Rissanen(Axiomatics)和Jonathan Robie(EMC)。

Authors' Addresses

作者地址

Remon Sinnema EMC Corporation

Remon-Ma EMC公司

   EMail: remon.sinnema@emc.com
   URI:   http://securesoftwaredev.com/
        
   EMail: remon.sinnema@emc.com
   URI:   http://securesoftwaredev.com/
        

Erik Wilde EMC Corporation 6801 Koll Center Parkway Pleasanton, CA 94566 USA

Erik Wilde EMC Corporation 6801美国加利福尼亚州普莱森顿科尔中心公园路94566号

   Phone: +1-925-600-6244
   EMail: erik.wilde@emc.com
   URI:   http://dret.net/netdret/
        
   Phone: +1-925-600-6244
   EMail: erik.wilde@emc.com
   URI:   http://dret.net/netdret/