Access Control
and
XML Encryption
Mark Scherling
Xcert International Inc.
Access Control Definition
- Access control is the collection of mechanisms that permits managers of a system to
exercise a directing or restraining influence over the behavior, use and content of a
system. It permits management to specify what users can do, which resources they can
access and what operations they can perform.
Access Control techniques
- Discretionary Access Control
- Mandatory Access Control
- Lattice-based Access Control
- Rule-based Access Control
- Role-based Access Control
- Access Control List
Access Control and XML Encryption
- Security classifications
- Requirements for access controls
- Identification of users
- Identification of elements
- Individual element encryption
Security Classifications
- Organizational dependency
- Can have one or more classification levels
- Classification level usually correlates to amount of damage disclosure causes
- Is object oriented now
- Could be content oriented using XML
Requirements for access controls in XML Encryption
- Identification of user
- Need to know who:
-
- to verify right-to-see content
- to encrypt the content with the correct key
- Identification of element
- Need to know what element:
-
- Ability to individually encrypt different elements in same document to different levels
of access
Requirements for access controls in XML Encryption
- Embedding access controls in document
OR
- Using access controls external to the document
DEPENDS
- Granularity of access controls
- Role versus person
- Size of audience
- Number of documents
Summary of access control requirements
- Method of identifying user (s)
- Method of identifying element (s)
- Individual encryption of elements
- Embedded or External Access Control List
- Interaction with other standards
Recommendations for access control requirements
- WG - should not recommend access control methods for XML Encryption
- WG - should provide notes on access control and XML Encryption
- WG - should work with W3C and IETF groups to ensure access control issues with XML
Encryption are noted/addressed