Re: XML fine-grained access control: a manifesto

Hi, Damiani

> 4. Request for Comments
> We are well aware that several other research groups from both
> academia and industry are now investigating problems related to
> XML and access control (notably, IBM Japan Research labs and
>  Microsoft Research). In our opinion, early standardization
> will be critical for the practical impact of this work.  We
> believe that discussion and exchange of ideas via the W3C list
> and, possibly, holding a W3C workshop on this subject could
> make future standardization easier. Some of the possible d
> iscussion topics are listed below:

The idea of XML fine-grained access control is very interesting. Our team in
Tokyo Research Lab has been interested and involved in several aspects of
XML security such as digital signature, element-wise encryption, and access
control on XML document as well. Someone may say that standardization for
digital signature and encryption on XML is more essential compared to that
of XML access control. Yes, however, it is often the case that the XML
document such as e-contract contains multi-level security information and
the access to that document must be controlled e.g. sub-portion of the
original XML may have a digital signature that must be protected from the
anonymous read access. Or when the access comes from the specific
department, access is allowed but access must be logged.

For these purposes, it is nice to have a fine-grained access control policy
specification language for XML document, and also reasonable to provide
such a language defined in XML. Thus we designed XACL (XML Access
Control specification Language) and implemented a prototype system for
e-commerce applications. However, there could be various language
definitions, while they have many issues that could be shared in common.
Thus I think that it is very good to propose this to some standardization
unit as a first step. I list the other reference:

M. Kudo, S. Hada, "XML Document Security and e-Business
applications," 7th ACM Conference on Computer and
Communication Security, Nov. 2000.

Michiharu Kudo

Internet Technology              TEL +81-46-215-4642
Tokyo Research Laboratory    FAX +81-46-273-7428
IBM Japan Ltd.                      Internet:

Received on Tuesday, 8 August 2000 05:47:10 UTC