OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] Attribute validation


Well the IGF (which we are in favor of, obviously) solves part of the problem, but at the moment it only covers Subject Attributes. This is an area we are actively pursuing inside and outside the TC.

Hal

> -----Original Message-----
> From: sampo@symlabs.com [mailto:sampo@symlabs.com]
> Sent: Friday, October 31, 2008 12:09 PM
> To: Anil Tappetla (atappetl)
> Cc: sampo@symlabs.com; xacml@lists.oasis-open.org
> Subject: RE: [xacml] Attribute validation
> 
> Anil Tappetla (atappetl) wrote:
> > As a related strand - how does the PEP determine what attributes it must
> > pass in a request to the PDP ? For apparently, the applicability of
> > policies may vary with what attributes are present in the request.
> 
> The Liberty Alliance Identity Governance Framework (IGF) provides
> perfect solution for this. Each party, here PDP, declares formally
> what attributes it needs and other parties (PEP) can be configured
> to match in more or less automatic way.
> 
> Cheers,
> --Sampo
> 
> > Regards,
> > Anil
> >
> > -----Original Message-----
> > From: sampo@symlabs.com [mailto:sampo@symlabs.com]
> > Sent: Friday, October 31, 2008 7:07 PM
> > To: Anil Tappetla (atappetl)
> > Cc: xacml@lists.oasis-open.org; sampo@symlabs.com
> > Subject: Re: [xacml] Attribute validation
> >
> > Anil Tappetla (atappetl) wrote:
> >> Assuming the PEP uses digital signatures in SAML wrapped XACML (or for
> >
> >> that matter SSL) as a means to authenticate with the PDP and to
> >> protect the integrity of the request, would it ever be a possible case
> >
> >> where the attributes in the request have not been validated as
> >> legitimate by the PEP ? The signature only establishes the
> >> authenticity and integrity, but the requestor makes no claims about
> >> the validity of the attributes. In such cases, should not the PDP make
> >
> >> these validations in order to circumvent a possible security attack ?
> >
> > There is not much point in PEP supplying attributes if it does not
> > guarantee their authenticity. If PEP is unable to supply authentic
> > attributes, then PDP/PIP would be better off obtaining the attributes
> > directly from the authorative source rather than "validate".
> >
> > I can see a situation where user lands to PEP using SSO that passes some
> > attributes from IdP. The SSO a7n is signed so authenticity of attributes
> > can be validated by checking the signature. However, generally the
> > signature can only be checked by PEP and will not be visible to PDP.
> > Thus PEP unwraps the attributes and then vouches their authenticity to
> > the PDP. It would be nice if the IdP signature was not lost and could be
> > passed to the PDP so PDP would be trusting the IdP rather than PEP.
> >
> > While it would be possible to sign the a7n in such a way that the
> > attribute statement could be extracted without breaking the signature,
> > the XACML attribute formatting is different. Perhaps XACML should use
> > SAML Attribute Statements as the format for attributes? Barring that,
> > the only way I can see this could be done right now is to pass at XACML
> > layer one big attribute whose contents would be the signed a7n or
> > attribute statement.
> >
> > Cheers,
> > --Sampo
> >
> >> Regards,
> >> Anil
> >>
> >
> >
> >
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]