OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [security-services] Changes for Core 26


> It would be extremely weird to
> allow both of the following (and the infinite number of variations) as
> "the" action namespace:
>    http://www.oasis-open.org/committees/security/docs/draft-sstc-core-25/rwedc
>    http://www.oasis-open.ORG/committees/security/../security/docs/draft-sstc-core-25/rwedc

I agree.

I guess saml could reasonably have a general URI rule (full-string-case-
sensitive-comparison) with exceptions for defined cases like resource URLs. 
For resource URLs we could use the 2396 based matching and make note of 
the problem with case sensitivity of the "pathname" part of the URL. 
I think all saml processors then have to treat all resource URIs are 
URLs though, right?

It may well be the case that most other mis-compares of URIs just result
in DoS (which wouldn't justify 2396 levels of flexibility IMO). Are there 
any other real cases where the default rule wouldn't be enough? 

If not, should the -26 version include text like that I proposed, but
applying only to resource URIs? (see [1], thing #3)


[1] http://lists.oasis-open.org/archives/security-services/200202/msg00063.html

Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC