OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Changes for Core 26

I think there might be a simple syntactic rule.

All the URIs that use case insensitive matching on the DNS portion are of
the form method://dns/rest

so it is pretty easy to write a FSR for 

scheme://case-insensitive/sensitive
	|
scheme:case-sensitive

Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie]
> Sent: Tuesday, February 12, 2002 6:14 AM
> To: Eve L. Maler
> Cc: security-services@lists.oasis-open.org
> Subject: Re: [security-services] Changes for Core 26
> 
> 
> 
> All,
> 
> > It would be extremely weird to
> > allow both of the following (and the infinite number of 
> variations) as
> > "the" action namespace:
> > 
> >    
> http://www.oasis-open.org/committees/security/docs/draft-sstc-
> core-25/rwedc
> >    
> http://www.oasis-open.ORG/committees/security/../security/docs
> /draft-sstc-core-25/rwedc
> 
> I agree.
> 
> I guess saml could reasonably have a general URI rule 
> (full-string-case-
> sensitive-comparison) with exceptions for defined cases like 
> resource URLs. 
> For resource URLs we could use the 2396 based matching and 
> make note of 
> the problem with case sensitivity of the "pathname" part of the URL. 
> I think all saml processors then have to treat all resource URIs are 
> URLs though, right?
> 
> It may well be the case that most other mis-compares of URIs 
> just result
> in DoS (which wouldn't justify 2396 levels of flexibility 
> IMO). Are there 
> any other real cases where the default rule wouldn't be enough? 
> 
> If not, should the -26 version include text like that I proposed, but
> applying only to resource URIs? (see [1], thing #3)
> 
> Stephen.
> 
> [1] 
http://lists.oasis-open.org/archives/security-services/200202/msg00063.html


-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

Phillip Hallam-Baker (E-mail).vcf

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC