Lists Home |
Date Index |
Diego M. Gonzalez wrote:
> [diegog] I think XACML can be used as a general-purpose but some
> semantics of the language assumes access control concepts. On the other
> hand, making it's scope too wide will impact in the language, and
> probably loosing compatibility with previous versions.
When people are using the term "general purpose" it means "general
purpose access control language" (as opposed to an authorization
language designed for a particular application or environment). So, yes,
you're absolutely right that most of the semantics are designed for
access control. There have been some profiles and proposals for
supporting communication or ECA policy, but the core stays true to
access control as the key use case.
> [diegog] If a similar language is developed for WS-Policy it will be
> great, because the difference between WS-Policy and XACML-like semantics
> are amazing. WS-Policy is a very limited language to define policies,
> specially when is compared to XACML semantics.
Absolutely. Specifically, WS-Policy is really about communication
policy, or the requirements for two parties (like a client and a web
service) to work together. XACML will help inform these policies, since
communication criteria is often based on backing access control policy,
but these are definately different kinds of questions being answered.
The WSPL profile mentioned in a previous message is an attempt to
profile XACML such that it also answers the kind of questions that
WS-Policy is designed to handle, only with a more expressive set of
semantics and some (in my opinion) stronger features. In general, I
think it's a good thing that there are separate, complimentary policy
language spaces like this. Conflating these into one language would, as
you note above, have a detrimental impact on the languages.