OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] CR#17 Draft change to "Resource Matching" in"Security and Privacy Considerations"

Draft change to "Security and Privacy Considerations" "Resource
Matching" section:

1. Change title to "NotApplicable Results"

A result of "NotApplicable" means that the PDP did not have a
Policy whose Target matched the information in the Request.  In
some security models, such as is common in many Web Servers, a
result of "NotApplicable" is treated as equivalent to "Permit".

If "NotApplicable" is to be treated as "Permit", is it vital that
the matching algorithms used by the Policy to match elements in
the Request are closely aligned with the data syntax used by the
applications that will be making the Request.  A failure to match
will be treated as "Permit", so an unintended failure may allow
unintended access.

A common example of this is a Web Server.  Commercial http
responders permit a variety of syntaxes to be treated
equivalently.  The "%" can be used to represent characters by hex
value.  In the URL path "/../" provides multiple ways of
specifying the same value.  Multiple character sets may be
permitted and, in some cases, the same printed character can be
represented by different binary values.  Unless the matching
algorithm used by the Policy is sophisticated enough to catch
these variations, unintended access may be allowed.

It is safe to treat "NotApplicable" as "Permit" ONLY in a closed
environment where all applications that formulate a Request are
closely aligned with the Policies used by the PDP.  In a more
open environment, where Requests may be received from
applications that are not necessarily closely aligned with the
Policies used by the PDP, it is HIGHLY RECOMMENDED that
"NotApplicable" NOT be treated as "Permit" unless matching rules
have been very carefully designed to match ALL possible
applicable inputs, regardless of syntax or type variations.

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC