OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-comment] Inadequate identification of LDAP attributes

Hi Steven

you will be pleased to know that we use the OID naming convention to 
refer to our LDAP attributes in our XACML authorisation policies. It is 
the only convention that is guaranteed to work for every (correctly 
defined) LDAP attribute



On 08/12/2010 00:45, Steven Legg wrote:
> The method for forming XACML attribute identifiers for LDAP attributes
> (and by
> association, X.500 attributes) described in Appendix B.4 of the XACML
> 3.0 core
> specification is neither unique nor complete.
> The method is incomplete in that it only covers directory attributes
> that are
> defined in RFCs. The most commonly used directory attributes are defined in
> RFCs, but a great many attributes are defined in the specifications of
> other
> standards bodies such as ISO and the ITU-T, in industry profiles, in vendor
> documentation, or simply in the schema configuration of directories
> deployed
> in user organizations. In the case of my LDAP & X.500 implementation,
> less than
> half of the built-in directory attributes are defined in an RFC. What
> XACML identifiers should the majority be given ?
> The method is not unique in that many of the attributes defined in an
> RFC are
> defined in more than one RFC. For instance, most of the directory
> attributes
> defined in RFC 2256 are also defined in RFC 4519, which obsoletes RFC 2256.
> Which RFC is definitive ? Directory attributes are also permitted to have
> more than one name, which is another source of non-uniqueness.
> One thing that is true of every well-defined directory attribute is that it
> has a globally unique object identifier. This, in the form of an OID URN
> (RFC
> 3061), is what the SAML X.500/LDAP Attribute Profile uses to identify
> directory
> attributes. XACML should do the same. For example,
> "http://www.ietf.org/rfc/rfc2256.txt#userPassword"; would be replaced by
> "urn:oid:".
> By the way, the current normative reference for LDAP is RFC 4510.
> Regards,
> Steven


David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]