Assuming the
PEP uses digital signatures in SAML wrapped XACML (or for that matter
SSL) as a means to authenticate with the PDP and to protect the
integrity of the request, would it ever be a possible case where the attributes
in the request have not been validated as legitimate by the PEP ? The signature
only establishes the authenticity and integrity, but the requestor makes no
claims about the validity of the attributes. In such cases, should not the PDP
make these validations in order to circumvent a possible security attack ?
Regards,
Anil