OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] Attribute validation


As a related strand - how does the PEP determine what attributes it must
pass in a request to the PDP ? For apparently, the applicability of
policies may vary with what attributes are present in the request.

Regards,
Anil

-----Original Message-----
From: sampo@symlabs.com [mailto:sampo@symlabs.com] 
Sent: Friday, October 31, 2008 7:07 PM
To: Anil Tappetla (atappetl)
Cc: xacml@lists.oasis-open.org; sampo@symlabs.com
Subject: Re: [xacml] Attribute validation

Anil Tappetla (atappetl) wrote:
> Assuming the PEP uses digital signatures in SAML wrapped XACML (or for

> that matter SSL) as a means to authenticate with the PDP and to 
> protect the integrity of the request, would it ever be a possible case

> where the attributes in the request have not been validated as 
> legitimate by the PEP ? The signature only establishes the 
> authenticity and integrity, but the requestor makes no claims about 
> the validity of the attributes. In such cases, should not the PDP make

> these validations in order to circumvent a possible security attack ?

There is not much point in PEP supplying attributes if it does not
guarantee their authenticity. If PEP is unable to supply authentic
attributes, then PDP/PIP would be better off obtaining the attributes
directly from the authorative source rather than "validate".

I can see a situation where user lands to PEP using SSO that passes some
attributes from IdP. The SSO a7n is signed so authenticity of attributes
can be validated by checking the signature. However, generally the
signature can only be checked by PEP and will not be visible to PDP.
Thus PEP unwraps the attributes and then vouches their authenticity to
the PDP. It would be nice if the IdP signature was not lost and could be
passed to the PDP so PDP would be trusting the IdP rather than PEP.

While it would be possible to sign the a7n in such a way that the
attribute statement could be extracted without breaking the signature,
the XACML attribute formatting is different. Perhaps XACML should use
SAML Attribute Statements as the format for attributes? Barring that,
the only way I can see this could be done right now is to pass at XACML
layer one big attribute whose contents would be the signed a7n or
attribute statement.

Cheers,
--Sampo

> Regards,
> Anil
>




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]