OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] For v17: [CR17] Revised text for Security & PrivacyConsiderations

Change to "Security & Privacy Considerations" section approved
today.

1. Change title of "Resource Matching" section to "NotApplicable
   Results"

2. Change text under "NotApplicable Results" to:

A result of "NotApplicable" means that the PDP did not have a
Policy whose Target matched the information in the Request.
In general, we highly recommend using a "default-deny" policy, so
that when a PDP would have returned "NotApplicable", a result of
"Deny" is returned instead.

In some security models, however, such as is common in many Web
Servers, a result of "NotApplicable" is treated as equivalent to
"Permit".  There are particular security considerations that must
be taken into account for this to be safe.  These are explained
in the following paragraphs.

If "NotApplicable" is to be treated as "Permit", it is vital that
the matching algorithms used by the Policy to match elements in
the Request are closely aligned with the data syntax used by the
applications that will be making the Request.  A failure to match
will be treated as "Permit", so an unintended failure to match
may allow unintended access.

A common example of this is a Web Server.  Commercial http
responders permit a variety of syntaxes to be treated
equivalently.  The "%" can be used to represent characters by hex
value.  The URL path "/../" provides multiple ways of specifying
the same value.  Multiple character sets may be permitted and, in
some cases, the same printed character can be represented by
different binary values.  Unless the matching algorithm used by
the Policy is sophisticated enough to catch these variations,
unintended access may be allowed.

It is safe to treat "NotApplicable" as "Permit" ONLY in a closed
environment where all applications that formulate a Request can
be guaranteed to use the exact syntax expected by the policies
used by the PDP.  In a more open environment, where Requests may
be received from applications that may use any legal syntax, it
is HIGHLY RECOMMENDED that "NotApplicable" NOT be treated as
"Permit" unless matching rules have been very carefully designed
to match ALL possible applicable inputs, regardless of syntax or
type variations.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC