OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Issue 86: SAML profile: Policy issuer and id of signed policies


This is the remaining open issue on the SAML profile.

This issue is actually two separate issues.

First, we should specify that an XACML 3.0 <PolicyIssuer> element may be 
derived from the signature of a SAML assertion containing an XACML 
policy. I propose that we add the following to the SAML profile, at the 
end of section 5.1:

An XACMLPolicy Statement enclosed in a signed SAML assertion MAY be used 
as a method of authentication of XACML policies. In this case the Policy 
or PolicySet MUST NOT contain an XACML <PolicyIssuer> element. Instead 
the PDP MAY generate a <PolicyIssuer> element from the signature in the 
SAML assertion before using the policy for XACML request evaluation. In 
this case the issuer of the SAML assertion SHALL be translated into an 
XACML attribute with id urn:FIXME:subject-id.

The second issue is that, since XACML specifies that policy identifiers 
must be unique, there is a concern in case of distributed administration 
(like in the delegation profile) that someone could intentionally 
publish a policy with a duplicate id as an attack against the PDP.

I propose that we add a security consideration to the 3.0 core:

XACML specifies that policy identifiers qualified by the policy version 
must be unique. If a PDP is provided with policies from distinct sources 
which might not be fully trusted, as in the use of the administration 
profile [FIXME ref], there is a concern that someone intentionally 
publishes a policy with an id which collides with another policy. This 
could cause policy references to point to the wrong policy and may cause 
other issues in an implementation which relies on that policy 
identifiers are unique.

If this issue is a concern it is RECOMMENDED that distinct policy 
issuers or sources are assigned distinct namespaces for policy 
identifiers. One method to do this is to make sure that the policy 
identifier begins with a string which has been assigned to the 
particular policy issuer or source. The remainder of the policy 
identifier is an issuer specific unique part. For instance, Alice from 
Example Inc. could be assigned the policy identifiers which begin with 
http://example.com/xacml/policyId/alice/. The PDP can then verify that 
the authenticated source of the policy is Alice at Example Inc, or 
otherwise reject the policy. Anyone else will unable to publish policies 
with identifiers which collide with the policies of Alice.

Best regards,

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]