Obligations are an important and indispensable part of many access control policies, such as those in DRM (Digital Rights Management) and healthcare information systems. To be able use obligations in a real-world access control system, there must exist a language for specifying obligations. However, such a language is currently lacking. XACML (eXtensible Access Control Markup Language), the current de facto standard for specifying access control policies, seems to integrate obligations as a part of it, but it treats obligations largely as black boxes, without specifying what an obligation should include and how to handle them. In this paper we examine the challenges in designing a practical approach for specifying and handling obligations, ...