[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issues in JSON Profile
Hello, I spotted a few minor issues in the JSON Profile of XACML [1] I thought you might consider for the next version: 1. Section 4.2.2: the data type of JSON propery "CategoryId" is defined as anyURI (I assume like Category attribute in XACML 3.0, i.e. XSD-1.0-defined anyURI). But the data type of other JSON properties (e.g. AttributeId, Datatype, Category) is defined simply as URI without refering to a specific URI standard. Is it the same anyURI as in XACML 3.0 (XSD 1.0 à RFC 2396) or something else (e.g. RFC 3986) ? This should be clarified. In particular, if you use JSON schema to validate input – which I tried to do – and use the built-in type “uri”, this refers to RFC 3986. 2. Section 5.2.2 refers to a “PolicyIdentifierList” object whereas 5.2.11 names it “PolicyIdentifier”. Probably a typo. 3. In 8.1 Request Example, a. the Attribute object in Action category is not a JSON array although it should, according to 4.2.4. b. typo: “ AttributeId” (one space too many) instead of “AttributeId” for the location attribute of AccessSubject. 4. Security consideration: the attribute Value and Content items can be any arbitrary object of arbitrary depth and/or string of arbitrary length, resulting in possible denial of service from the PDP. I think the spec should mention this issue somewhere (like section 9 in XACML 3.0). On a side node, section 9 of XACML 3.0 could also mention the same kind of issue with AttributeValues or Attributes/Content possibly containing arbitrary XML elements of excessive depth or text size. Kind regards, Cyril [1] http://docs.oasis-open.org/xacml/xacml-json-http/v1.0/xacml-json-http-v1.0.html --- Cyril Dangerville Security Engineer, CISSP Thales Services http://thalesgroup.com/ |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]