RE: [xacml] Attribute validation

["Hal Lockhart" <hal.lockhart@oracle.com>]

First of all, it is the PIP (which may be co-located with PEP or PDP or both which is the architectural entity for obtaining Attributes and therefore vetting them.

Applicability should not be determined by lack of data. If needed Attributes are missing, the PDP is supposed to return Indeterminate, with missing attributes.

The main point is that the PDP NEVER should be responsible for the validity of the inputs. It is completely legitimate to call a PDP with any values you like. This enables "what if" analysis.

Hal

> -----Original Message-----
> From: Anil Tappetla (atappetl) [mailto:atappetl@cisco.com]
> Sent: Friday, October 31, 2008 12:06 PM
> To: sampo@symlabs.com
> Cc: xacml@lists.oasis-open.org
> Subject: RE: [xacml] Attribute validation
> 
> As a related strand - how does the PEP determine what attributes it must
> pass in a request to the PDP ? For apparently, the applicability of
> policies may vary with what attributes are present in the request.
> 
> Regards,
> Anil
> 
> -----Original Message-----
> From: sampo@symlabs.com [mailto:sampo@symlabs.com]
> Sent: Friday, October 31, 2008 7:07 PM
> To: Anil Tappetla (atappetl)
> Cc: xacml@lists.oasis-open.org; sampo@symlabs.com
> Subject: Re: [xacml] Attribute validation
> 
> Anil Tappetla (atappetl) wrote:
> > Assuming the PEP uses digital signatures in SAML wrapped XACML (or for
> 
> > that matter SSL) as a means to authenticate with the PDP and to
> > protect the integrity of the request, would it ever be a possible case
> 
> > where the attributes in the request have not been validated as
> > legitimate by the PEP ? The signature only establishes the
> > authenticity and integrity, but the requestor makes no claims about
> > the validity of the attributes. In such cases, should not the PDP make
> 
> > these validations in order to circumvent a possible security attack ?
> 
> There is not much point in PEP supplying attributes if it does not
> guarantee their authenticity. If PEP is unable to supply authentic
> attributes, then PDP/PIP would be better off obtaining the attributes
> directly from the authorative source rather than "validate".
> 
> I can see a situation where user lands to PEP using SSO that passes some
> attributes from IdP. The SSO a7n is signed so authenticity of attributes
> can be validated by checking the signature. However, generally the
> signature can only be checked by PEP and will not be visible to PDP.
> Thus PEP unwraps the attributes and then vouches their authenticity to
> the PDP. It would be nice if the IdP signature was not lost and could be
> passed to the PDP so PDP would be trusting the IdP rather than PEP.
> 
> While it would be possible to sign the a7n in such a way that the
> attribute statement could be extracted without breaking the signature,
> the XACML attribute formatting is different. Perhaps XACML should use
> SAML Attribute Statements as the format for attributes? Barring that,
> the only way I can see this could be done right now is to pass at XACML
> layer one big attribute whose contents would be the signed a7n or
> attribute statement.
> 
> Cheers,
> --Sampo
> 
> > Regards,
> > Anil
> >
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>