[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [security-services] Changes for Core 26
At 11:27 AM 2/11/02 +0000, Stephen Farrell wrote:
>Eve,
>
><sophistry>
>The problem with being logical, consistent and pure in this case
>is that it ignores reality and results in saml conformant code
>not being as useful as current proprietary products.
></sophistry>
Actually, I wasn't going for purity per se. I was going for the least
number of false matches (because "FRED" isn't "fred"), at the potential
cost of extra rejects ('sorry, you can't access resource "FRED" because
you're only allowed access to "fred"'). This sounds more secure to me, and
it also means a simple context-insensitive matching rule that doesn't
depend on private agreements. Certainly a standard is going to cut off
some avenues for convenience that proprietary products take advantage of
now, but often this is the cost of interoperability.
>I'm mainly thinking of resource names which are read off the wire
>by saml components as written by non-saml components. I'm not sure
>if the namespace case is the same, but it clearly has less precedent
>than the resource URI case.
I'm not sure I understand this...
Eve
--
Eve Maler +1 781 442 3190
Sun Microsystems XML Technology Center eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC