OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] proposed amendment to Polar's resolution of PM-2-05

> because it provides information on what is necessary to make a decision
> for granting access. while this sounds appealing from a programmatic
> perspective, it is a fundamental no-no in a security transaction because
> it provides feedback for 'safecracking'. in other words, it allows a
> nefarious entity to 'query' the system for information leading to
> access.

that of the PDP leaking information is a very good point, and one to be 
careful about. 
my view is that we should be careful on what the PDP returns, but not 
disallow the PDP to return such information.

for instance, suppose you make ac access request and present yourself as
"anonymous" or with no SAML assertion for a given membership, and to get
access you need to login and provide membership number.

Now it would be a no-no having the PDP saying i can grant you access if 
you login as "JOHN_DOE" and your membership number is "12345" but it 
should be fine for the PDP to come back saying "i need you to login" or 
"give me your membership number". 

Not allowing the PDP to have such an outcome would imply that the requests  
should come with all the possible statements that may be associated with 
the requestor, which may be inacceptable in certain situations. For 
instance, you do not want to realease your AAA membership number when 
doing operations that have nothing to do with AAA.

Can you be assumed to know yourself what you need in order  to get an 
access and therefore which SAML statements should be provided?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC