RE: XACML - Extensible Access Control Markup Language]

----- Forwarded message from Larry Gussin <ldgussin@home.com> -----

Date: Wed, 25 Apr 2001 13:05:50 -0400 (EDT)
Message-ID: <007501c0cdaa$4991cc00$16c60b41@pwtkt1.ri.home.com>
From: "Larry Gussin" <ldgussin@home.com>
To: <www-drm@w3.org>
Subject: [Moderator Action] RE: XACML - Extensible Access Control Markup Language

Hi,

I believe several worlds are colliding here. 

The XACML press release equates "access control" with "rights management", but in scanning the XACML discussions over the last few months http://lists.oasis-open.org/archives/xacml-discuss/, I find no mention of rights management among over 100 messages - except a brief mid-February query about and dismissal of the importance of XRML and Contentguard to what they were doing. Nor anything about W3C DRM or MPEG 21. Likewise no mention of XACML among W3C DRM folks. (Nevertheless, XACML grows out of IBM, which as a corporate entity has been involved in DRM for many years; while Reuters also is keeping a hand in both places.)

I'll suggest this distinction, hoping to learn from criticism: 

XACML grows out of an effort to use XML to incrementally extend enterprise access control capabilities - primarily server session based - to the current Web. It is a response to strong current enterprise markets demand. Its frame of reference is other XML-based efforts aimed at helping enterprises build out their extranets, in part through interoperability.

(Here, as evidence, is from a Feb. 21 announcement of the XACML discussion list http://lists.oasis-open.org/archives/xacml-discuss/200102/msg00000.html: "The scope of discussion is eXtensible Access Control Markup Language (XACML), which addresses security related specifications orthogonal to the efforts of the existing Security Services OASIS TC. Whereas the Security Services TC exists to define an XML framework for exchanging authentication and authorization information, XACML is concerned with the representation of access control policies as XML and the application of these policies to XML documents. The people requesting the creation of this discussion list have discussed this effort with the existing Security Services TC, and that TC agreed that this work is best carried out as a separate, though coordinated, effort rather than as a part of the Security Services TC.")

DRM, on the other hand, is accruing a community (eg., AAP, MPEG) intent on building pervasive rights management support into an envisioned future Web. It is far more philisophical and - in terms of conceived applications - for more comprehensive, but it is less tied to existing markets, and therefore perhaps less embedded in reality. By reality I would mean: what will be the equivalences between addressing logical complexities and addressing real world problems?

Comments?

Larry Gussin

----- End forwarded message -----

Received on Wednesday, 25 April 2001 19:05:50 UTC