OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-comment] Inadequate identification of LDAP attributes

Hi David,

On 9/12/2010 5:36 AM, David Chadwick wrote:
> Hi Steven
> you will be pleased to know that we use the OID naming convention to refer to our LDAP attributes in our
> XACML authorisation policies.

That is good to know. It makes it easier to ignore the XACML convention
and use the OID convention instead. The OID convention will most likely
provide better interworking even though it isn't the standardized convention.

 > It is the only convention that is guaranteed to work for every (correctly
> defined) LDAP attribute

Yes. It would be good if the XACML standard described this convention
so that implementors wouldn't have to independently reach the same


> regards
> David
> On 08/12/2010 00:45, Steven Legg wrote:
>> The method for forming XACML attribute identifiers for LDAP attributes
>> (and by
>> association, X.500 attributes) described in Appendix B.4 of the XACML
>> 3.0 core
>> specification is neither unique nor complete.
>> The method is incomplete in that it only covers directory attributes
>> that are
>> defined in RFCs. The most commonly used directory attributes are defined in
>> RFCs, but a great many attributes are defined in the specifications of
>> other
>> standards bodies such as ISO and the ITU-T, in industry profiles, in vendor
>> documentation, or simply in the schema configuration of directories
>> deployed
>> in user organizations. In the case of my LDAP & X.500 implementation,
>> less than
>> half of the built-in directory attributes are defined in an RFC. What
>> XACML identifiers should the majority be given ?
>> The method is not unique in that many of the attributes defined in an
>> RFC are
>> defined in more than one RFC. For instance, most of the directory
>> attributes
>> defined in RFC 2256 are also defined in RFC 4519, which obsoletes RFC 2256.
>> Which RFC is definitive ? Directory attributes are also permitted to have
>> more than one name, which is another source of non-uniqueness.
>> One thing that is true of every well-defined directory attribute is that it
>> has a globally unique object identifier. This, in the form of an OID URN
>> (RFC
>> 3061), is what the SAML X.500/LDAP Attribute Profile uses to identify
>> directory
>> attributes. XACML should do the same. For example,
>> "http://www.ietf.org/rfc/rfc2256.txt#userPassword"; would be replaced by
>> "urn:oid:".
>> By the way, the current normative reference for LDAP is RFC 4510.
>> Regards,
>> Steven

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]