[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [security-services] Changes for Core 26
All, > It would be extremely weird to > allow both of the following (and the infinite number of variations) as > "the" action namespace: > > http://www.oasis-open.org/committees/security/docs/draft-sstc-core-25/rwedc > http://www.oasis-open.ORG/committees/security/../security/docs/draft-sstc-core-25/rwedc I agree. I guess saml could reasonably have a general URI rule (full-string-case- sensitive-comparison) with exceptions for defined cases like resource URLs. For resource URLs we could use the 2396 based matching and make note of the problem with case sensitivity of the "pathname" part of the URL. I think all saml processors then have to treat all resource URIs are URLs though, right? It may well be the case that most other mis-compares of URIs just result in DoS (which wouldn't justify 2396 levels of flexibility IMO). Are there any other real cases where the default rule wouldn't be enough? If not, should the -26 version include text like that I proposed, but applying only to resource URIs? (see [1], thing #3) Stephen. [1] http://lists.oasis-open.org/archives/security-services/200202/msg00063.html -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC