[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Inadequate identification of LDAP attributes
The method for forming XACML attribute identifiers for LDAP attributes (and by association, X.500 attributes) described in Appendix B.4 of the XACML 3.0 core specification is neither unique nor complete. The method is incomplete in that it only covers directory attributes that are defined in RFCs. The most commonly used directory attributes are defined in RFCs, but a great many attributes are defined in the specifications of other standards bodies such as ISO and the ITU-T, in industry profiles, in vendor documentation, or simply in the schema configuration of directories deployed in user organizations. In the case of my LDAP & X.500 implementation, less than half of the built-in directory attributes are defined in an RFC. What XACML identifiers should the majority be given ? The method is not unique in that many of the attributes defined in an RFC are defined in more than one RFC. For instance, most of the directory attributes defined in RFC 2256 are also defined in RFC 4519, which obsoletes RFC 2256. Which RFC is definitive ? Directory attributes are also permitted to have more than one name, which is another source of non-uniqueness. One thing that is true of every well-defined directory attribute is that it has a globally unique object identifier. This, in the form of an OID URN (RFC 3061), is what the SAML X.500/LDAP Attribute Profile uses to identify directory attributes. XACML should do the same. For example, "http://www.ietf.org/rfc/rfc2256.txt#userPassword" would be replaced by "urn:oid:2.5.4.35". By the way, the current normative reference for LDAP is RFC 4510. Regards, Steven
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]