[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] For v17: [CR17] Revised text for Security & PrivacyConsiderations
Change to "Security & Privacy Considerations" section approved today. 1. Change title of "Resource Matching" section to "NotApplicable Results" 2. Change text under "NotApplicable Results" to: A result of "NotApplicable" means that the PDP did not have a Policy whose Target matched the information in the Request. In general, we highly recommend using a "default-deny" policy, so that when a PDP would have returned "NotApplicable", a result of "Deny" is returned instead. In some security models, however, such as is common in many Web Servers, a result of "NotApplicable" is treated as equivalent to "Permit". There are particular security considerations that must be taken into account for this to be safe. These are explained in the following paragraphs. If "NotApplicable" is to be treated as "Permit", it is vital that the matching algorithms used by the Policy to match elements in the Request are closely aligned with the data syntax used by the applications that will be making the Request. A failure to match will be treated as "Permit", so an unintended failure to match may allow unintended access. A common example of this is a Web Server. Commercial http responders permit a variety of syntaxes to be treated equivalently. The "%" can be used to represent characters by hex value. The URL path "/../" provides multiple ways of specifying the same value. Multiple character sets may be permitted and, in some cases, the same printed character can be represented by different binary values. Unless the matching algorithm used by the Policy is sophisticated enough to catch these variations, unintended access may be allowed. It is safe to treat "NotApplicable" as "Permit" ONLY in a closed environment where all applications that formulate a Request can be guaranteed to use the exact syntax expected by the policies used by the PDP. In a more open environment, where Requests may be received from applications that may use any legal syntax, it is HIGHLY RECOMMENDED that "NotApplicable" NOT be treated as "Permit" unless matching rules have been very carefully designed to match ALL possible applicable inputs, regardless of syntax or type variations.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC