[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Resource text
I am interpreting the action item to be "and, and" rather than options per
se. We can strike text folk feel is superfluous.
Existing text
2.4.4. Element <AuthorizationDecisionStatement>
The <AuthorizationDecisionStatement> element supplies a statement by the
issuer that the request for access by the specified subject to the specified
resource has resulted in the specified decision on the basis of some
optionally specified evidence. It is of type
AuthorizationDecisionStatementType, which extends
SubjectStatementAbstractType with the addition of the following elements (in
order) and attributes:
Resource [Optional]
A URI identifying the resource to which access authorization is sought.
Proposed change
2.4.4. Element <AuthorizationDecisionStatement>
The <AuthorizationDecisionStatement> element supplies a statement by the
issuer that the request for access by the specified subject to the specified
resource has resulted in the specified decision on the basis of some
optionally specified evidence.
The resource is identified by means of a URI. In order for the assertion to
be interpreted correctly and securely the issuer and relying party MUST
interpret each URI in a consistent manner. Failure to achieve a consistent
URI interpretation can result in different authorization decisions depending
on the encoding of the resource URI. To avoid ambiguity resulting from
variations in URI encoding SAML applications SHOULD employ the URI
cannonical form wherever possible as follows:
* The assertion issuer SHOULD encode all resource URIs in canonical
form.
* Relying parties SHOULD convert resource URIs to cannonical form prior
to processing.
Inconsistent URI interpretation can also result from differences between the
URI syntax and the semantics of an underlying file system. Particular care
is required if URIs are employed to specify an access control policy
language. The following security conditions should be satisfied by the
system which employs SAML assertions:
* The URI syntax is case sensitive. If the underlying file system is
case insenstive a requestor SHOULD NOT be able to gain access to a denied
resource by changing the case of a part of the resource URI.
* Many file systems support mechanisms such as logical paths and
symbolic links which allow users to establish logical equivalences between
file system entries. A requestor SHOULD NOT be able to gain access to a
denied resource by creating such an equivalence.
The <AuthorizationDecisionStatement> element is of type
AuthorizationDecisionStatementType, which extends
SubjectStatementAbstractType with the addition of the following elements (in
order) and attributes:
Resource [Optional]
A URI identifying the resource to which access authorization is sought.
[Also fix section 3.3.5 to reference]
Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227
Phillip Hallam-Baker (E-mail).vcf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC