RE: [security-services] Changes for Core 26

[Irving Reid <Irving.Reid@baltimore.com>]

> From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie]
> Given that we're not allowing wildcards (though we should:-), we need
> to include some text so PEPs can tell if a resource from a statement
> matches a URI (esp http URL).
> 
> RFC2396 has loads to say about this, esp a bit (section 6) where they
> point out e.g. that "http://foo.com/" is the same as 
> "HTTP://fOo.CoM:80/".
> It does, of course, get worse, given escaping%20etc. So - is 
> it sufficient
> that we point at 2396 for resource matching?

(for the rest Stephen's message see
http://lists.oasis-open.org/archives/security-services/200202/msg00063.html)

I strongly disagree with this proposal. I don't think we should build any
protocol-specific matching rules into SAML. Each PEP knows what its own
internal matching rules are, and must determine the canonical form for its
resource name BEFORE it passes the resource name to the PDP. Otherwise we're
asking for a world of pain, because to avoid potential security holes we
would need to duplicate the quirks of every PEP.

 - irving -


-----------------------------------------------------------------------------------------------------------------
The information contained in this message is confidential and is intended 
for the addressee(s) only.  If you have received this message in error or 
there are any problems please notify the originator immediately.  The 
unauthorized use, disclosure, copying or alteration of this message is 
strictly forbidden. Baltimore Technologies plc will not be liable for direct, 
special, indirect or consequential damages arising from alteration of the 
contents of this message by a third party or as a result of any virus being 
passed on.

 
This footnote confirms that this email message has been swept by 
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.