OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [security-services] Changes for Core 26


Phill,

I just quickly went through the new pdf & have the following comments,
all with specific changes (see I'm being a good boy before I go to the
pub:-).

Regards,
Stephen.

1) the rare-old-times:-)
------------------------

> b) Modify text in the following sections to state "The time value MUST be
> expressed in UTC time as specified in section 1.3.4"
> 2.3.3, 2.3.3., 3.2.1, 3.4.1

The above I like. The pdf however also says: "MUST NOT generate time
instants that specify leap seconds." I guess this is trying to constrain
dateTime even more, (an approach with which I symphatize), but I think
this is just a little bit too much. I'd suggest s/MUST NOT/SHOULD NOT/,
on the basis that "MUST NOT" means that everyone has to write a line
of code that only gets executed once every couple of years - it might 
be something like "if (seconds==60) sleep(1)". Now that I'd rather not
have that MUST since sleeping that second could be important for some
application or other and code that's run that rarely *always* causes
problems (at least it did when I wrote code:-).

2. NameIdentifier.Name
----------------------

Eve suggested putting the name value in as element value, not as an
attribute which I thought had been agreed but the NameIdentifier still
has two attributes here. Suggest implementing Eve's change.

3. Resource matching
--------------------

> 706: Wildcard issue.

Given that we're not allowing wildcards (though we should:-), we need
to include some text so PEPs can tell if a resource from a statement
matches a URI (esp http URL).

RFC2396 has loads to say about this, esp a bit (section 6) where they
point out e.g. that "http://foo.com/" is the same as "HTTP://fOo.CoM:80/".
It does, of course, get worse, given escaping%20etc. So - is it sufficient
that we point at 2396 for resource matching? If so, then how about adding
this to "section 1.2.2 comparing SAML values:

   All URIs contained in SAML elements (whether as element or attribute
   values) MUST be compared as specified in [RFC2396]. In particular this
   means that "http://foo.com/go/to/the/pub/" represents the same resource
   as "HTTP://FoO.CoM:80/go/../go/to/the/pub". Implementations MUST ensure
   that all URI comparisons take account of all the relevant mappings as,
   for example, strings of the form  of "go/../go" have in the past been 
   successfully used in attacks on systems. This would apply most especially 
   to a PEP that cached SAML decision assertions for example. SAML 
   implementations however, SHOULD NOT, (unless running in an entirely
   "trusted" environment) assume that DNS names and IP addresses can 
   be taken to represent the same resource, that is, "http://foo.com" 
   SHOULD never be take to be the same as "http://10.0.0.1/" regardless
   of the fact that foo.com maps to 10.0.0.1 according to the local DNS.

That does still leave the following problems, (I've run out of time to 
suggest text, feel free to make improvements):

- Some filesystems are case insensitive, some aren't. [One way to handle
  this is for the pEp to include a flag in the decision query telling the
  PdP whether it (the PEP) is case-sensitive for URI local parts. Is it
  too late to add in something like that?]
- "/" being the same as "/index.html" [Have the PEP tell the PDP as 
  above? Sounds too hard to me in general.]
- Probably more I've forgotten ;-(

4. IPv6
-------

> 664: IPv6 issue, I need someone to write text.

Just live with dot sep string form of IPv4 for now and include a comment
that IPv6 text will be in the next release. Reason I'd suggest punting on 
this is that I'm not sure whether we need to consider address matching
(e.g. whether "/24" is something to wory about - harder in the v6 world
of course). Suggested text:

   IPv4 addresses MUST be represented using "dot-separated" notation, 
   e.g. "10.0.0.1". The next revision of this specification will 
   define how to handle IPv6 addresses.

'Course if you've time to do better, then ignore this.




-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC