[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-comment] Inadequate identification of LDAP attributes
Hi Steven you will be pleased to know that we use the OID naming convention to refer to our LDAP attributes in our XACML authorisation policies. It is the only convention that is guaranteed to work for every (correctly defined) LDAP attribute regards David On 08/12/2010 00:45, Steven Legg wrote: > > The method for forming XACML attribute identifiers for LDAP attributes > (and by > association, X.500 attributes) described in Appendix B.4 of the XACML > 3.0 core > specification is neither unique nor complete. > > The method is incomplete in that it only covers directory attributes > that are > defined in RFCs. The most commonly used directory attributes are defined in > RFCs, but a great many attributes are defined in the specifications of > other > standards bodies such as ISO and the ITU-T, in industry profiles, in vendor > documentation, or simply in the schema configuration of directories > deployed > in user organizations. In the case of my LDAP & X.500 implementation, > less than > half of the built-in directory attributes are defined in an RFC. What > XACML identifiers should the majority be given ? > > The method is not unique in that many of the attributes defined in an > RFC are > defined in more than one RFC. For instance, most of the directory > attributes > defined in RFC 2256 are also defined in RFC 4519, which obsoletes RFC 2256. > Which RFC is definitive ? Directory attributes are also permitted to have > more than one name, which is another source of non-uniqueness. > > One thing that is true of every well-defined directory attribute is that it > has a globally unique object identifier. This, in the form of an OID URN > (RFC > 3061), is what the SAML X.500/LDAP Attribute Profile uses to identify > directory > attributes. XACML should do the same. For example, > "http://www.ietf.org/rfc/rfc2256.txt#userPassword" would be replaced by > "urn:oid:2.5.4.35". > > By the way, the current normative reference for LDAP is RFC 4510. > > Regards, > Steven > > -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security School of Computing, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]