[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Resource text
I am interpreting the action item to be "and, and" rather than options per se. We can strike text folk feel is superfluous. Existing text 2.4.4. Element <AuthorizationDecisionStatement> The <AuthorizationDecisionStatement> element supplies a statement by the issuer that the request for access by the specified subject to the specified resource has resulted in the specified decision on the basis of some optionally specified evidence. It is of type AuthorizationDecisionStatementType, which extends SubjectStatementAbstractType with the addition of the following elements (in order) and attributes: Resource [Optional] A URI identifying the resource to which access authorization is sought. Proposed change 2.4.4. Element <AuthorizationDecisionStatement> The <AuthorizationDecisionStatement> element supplies a statement by the issuer that the request for access by the specified subject to the specified resource has resulted in the specified decision on the basis of some optionally specified evidence. The resource is identified by means of a URI. In order for the assertion to be interpreted correctly and securely the issuer and relying party MUST interpret each URI in a consistent manner. Failure to achieve a consistent URI interpretation can result in different authorization decisions depending on the encoding of the resource URI. To avoid ambiguity resulting from variations in URI encoding SAML applications SHOULD employ the URI cannonical form wherever possible as follows: * The assertion issuer SHOULD encode all resource URIs in canonical form. * Relying parties SHOULD convert resource URIs to cannonical form prior to processing. Inconsistent URI interpretation can also result from differences between the URI syntax and the semantics of an underlying file system. Particular care is required if URIs are employed to specify an access control policy language. The following security conditions should be satisfied by the system which employs SAML assertions: * The URI syntax is case sensitive. If the underlying file system is case insenstive a requestor SHOULD NOT be able to gain access to a denied resource by changing the case of a part of the resource URI. * Many file systems support mechanisms such as logical paths and symbolic links which allow users to establish logical equivalences between file system entries. A requestor SHOULD NOT be able to gain access to a denied resource by creating such an equivalence. The <AuthorizationDecisionStatement> element is of type AuthorizationDecisionStatementType, which extends SubjectStatementAbstractType with the addition of the following elements (in order) and attributes: Resource [Optional] A URI identifying the resource to which access authorization is sought. [Also fix section 3.3.5 to reference] Phillip Hallam-Baker FBCS C.Eng. Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227
Phillip Hallam-Baker (E-mail).vcf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC