OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Issues in JSON Profile


Hello,

I spotted a few minor issues in the JSON Profile of XACML [1] I thought you might consider for the next version:

 

1.    Section 4.2.2: the data type of JSON propery "CategoryId" is defined as anyURI (I assume like Category attribute in XACML 3.0, i.e. XSD-1.0-defined anyURI). But the data type of other JSON properties (e.g. AttributeId, Datatype, Category) is defined simply as URI without refering to a specific URI standard. Is it the same anyURI as in XACML 3.0 (XSD 1.0 à RFC 2396) or something else (e.g. RFC 3986) ? This should be clarified. In particular, if you use JSON schema to validate input – which I tried to do – and use the built-in type “uri”, this refers to RFC 3986.

2.    Section 5.2.2 refers to a “PolicyIdentifierList” object whereas 5.2.11 names it “PolicyIdentifier”. Probably a typo.

3.    In 8.1 Request Example,

a.    the Attribute object in Action category is not a JSON array although it should, according to 4.2.4.

b.    typo: “ AttributeId” (one space too many) instead of “AttributeId” for the location attribute of AccessSubject. 

4.    Security consideration: the attribute Value and Content items can be any arbitrary object of arbitrary depth and/or string of arbitrary length, resulting in possible denial of service from the PDP. I think the spec should mention this issue somewhere (like section 9 in XACML 3.0). On a side node, section 9 of XACML 3.0 could also mention the same kind of issue with AttributeValues or Attributes/Content possibly containing arbitrary XML elements of excessive depth or text size.

 

Kind regards,

Cyril

 

[1] http://docs.oasis-open.org/xacml/xacml-json-http/v1.0/xacml-json-http-v1.0.html

 

---

Cyril Dangerville

Security Engineer, CISSP

Thales Services

http://thalesgroup.com/



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]