OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [security-services] Changes for Core 26


":80" ?

"Hallam-Baker, Phillip" wrote:
> 
> I think there might be a simple syntactic rule.
> 
> All the URIs that use case insensitive matching on the DNS portion are of
> the form method://dns/rest
> 
> so it is pretty easy to write a FSR for
> 
> scheme://case-insensitive/sensitive
>         |
> scheme:case-sensitive
> 
> Phillip Hallam-Baker FBCS C.Eng.
> Principal Scientist
> VeriSign Inc.
> pbaker@verisign.com
> 781 245 6996 x227
> 
> > -----Original Message-----
> > From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie]
> > Sent: Tuesday, February 12, 2002 6:14 AM
> > To: Eve L. Maler
> > Cc: security-services@lists.oasis-open.org
> > Subject: Re: [security-services] Changes for Core 26
> >
> >
> >
> > All,
> >
> > > It would be extremely weird to
> > > allow both of the following (and the infinite number of
> > variations) as
> > > "the" action namespace:
> > >
> > >
> > http://www.oasis-open.org/committees/security/docs/draft-sstc-
> > core-25/rwedc
> > >
> > http://www.oasis-open.ORG/committees/security/../security/docs
> > /draft-sstc-core-25/rwedc
> >
> > I agree.
> >
> > I guess saml could reasonably have a general URI rule
> > (full-string-case-
> > sensitive-comparison) with exceptions for defined cases like
> > resource URLs.
> > For resource URLs we could use the 2396 based matching and
> > make note of
> > the problem with case sensitivity of the "pathname" part of the URL.
> > I think all saml processors then have to treat all resource URIs are
> > URLs though, right?
> >
> > It may well be the case that most other mis-compares of URIs
> > just result
> > in DoS (which wouldn't justify 2396 levels of flexibility
> > IMO). Are there
> > any other real cases where the default rule wouldn't be enough?
> >
> > If not, should the -26 version include text like that I proposed, but
> > applying only to resource URIs? (see [1], thing #3)
> >
> > Stephen.
> >
> > [1]
> http://lists.oasis-open.org/archives/security-services/200202/msg00063.html
> 
> --
> ____________________________________________________________
> Stephen Farrell
> Baltimore Technologies,   tel: (direct line) +353 1 881 6716
> 39 Parkgate Street,                     fax: +353 1 881 7000
> Dublin 8.                mailto:stephen.farrell@baltimore.ie
> Ireland                             http://www.baltimore.com
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC