xacml-users message

Subject: RE: [xacml-users] Validating XACML policies and requests against XSD

From: "Cahill, Conor P" <conor.p.cahill@intel.com>
To: "oleg@gryb.info" <oleg@gryb.info>, "xacml-users@lists.oasis-open.org"<xacml-users@lists.oasis-open.org>, "xacml-comments@lists.oasis-open.org"<xacml-comments@lists.oasis-open.org>
Date: Tue, 13 Jan 2009 14:27:51 -0800


There's a whole world of difference between schema validation (which is data structure validation) and data validation.   Those same security guys who push hard for web page input data validation don't push for html schema validation because a) most/many web pages would fail such validation and b) the important validation is the data that you are processing.

There may be some weaknesses from a lack of schema validation (I'm not convinced one way or the other yet), but as far as I know, the vast, vast majority of real-world XML interfaces out there do *not* perform explicit schema validation (they perform a level of implicit schema validation by processing elements that they know and understand and frequently ignore elements that they don't know/understand (unless those elements were in SOAP headers and flagged with mustUnderstand)). I would also say that the vast majority of weaknesses are due to data content (as opposed to data structure).

Conor

> -----Original Message-----
> From: Oleg Gryb [mailto:oleg_gryb@yahoo.com]
> Sent: Tuesday, January 13, 2009 12:40 PM
> To: xacml-users@lists.oasis-open.org; xacml-comments@lists.oasis-
> open.org
> Subject: [xacml-users] Validating XACML policies and requests against
> XSD
> 
> I've noticed lately that some commercial and open source PDP engines do
> not validate requests and policies against XSD that is a part of XACML
> specification. I could see two problems related to that:
> 
> 1. Each and every security auditor would say that absence of input data
> validation is a security breach in waiting. It's true even for
> 'regular' business applications. In the case of authorization systems
> this fact should be given even a bigger attention considering
> criticality of these systems.
> 
> 2. It affects PDP's interoperability. Example that Hao has provided
> makes me thing that sunxacml disregards namespaces, it means that it
> won't be interoperable with any PDP engine that does the validation
> against XSD. Seth, please let me know if my observation is not correct.
> 
> I think it should be clearly stated in the XACML specification that if
> a request or policy is not compliant with XSDs the process of
> evaluation should not even start and all invalid requests and policies
> should be rejected by PDP.
> 
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org

Follow-Ups:
- RE: [xacml-users] Validating XACML policies and requests against XSD
  - From: Oleg Gryb <oleg_gryb@yahoo.com>

References:
- Re: [xacml-users] does XACML v2 allow multiple values' attribute
  - From: Yoichi Takayama <yoichi@melcoe.mq.edu.au>
- Validating XACML policies and requests against XSD
  - From: Oleg Gryb <oleg_gryb@yahoo.com>