OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Comments on Attribute predicate profile for SAML andXACML

> -----Original Message-----
> From: Gregory Neven [mailto:nev@zurich.ibm.com]
> Sent: Monday, April 04, 2011 3:26 PM
> To: Paul Tyson
> Subject: Re: [xacml] Comments on Attribute predicate profile for SAML
> and XACML
> > 4. I'm not too familiar with SAML, so I assume that the
> > samlp:Status/samlp:StatusCode/@Value attribute is the conventional
> way
> > to confirm or deny a SAML assertion?  For the purpose at hand it
> seems
> > like a roundabout way of communicating the truth-value of a
> > (potentially) complex predicate.  Rather than just echoing the
> predicate
> > back to the relying party, could there be a dedicated
> > AttributePredicateResponse with Result=true|false?  Optionally, the
> > predicate could be returned as well.  This would be analagous to the
> > XACML Response, with optional return of the Request attributes.
> When a predicate is not explicitly included in the response, is it
> still
> possible to have the description of the predicate (and not just some
> ID/reference to it) be signed by the XML Signature? If so, then you're
> right, one could make the predicate optional in the response. If not,
> then there's a danger that, if the PEP and IDP communicate over an
> insecure connection or through redirects via the user, an adversary
> replaces the queried predicate with a fake predicate and so that a
> "true" response from the IDP would be misinterpreted by the PEP as
> being
> for the real predicate instead of the fake predicate.

If there is an adversary in the middle, couldn't he just return true to the PEP anyway, without invoking the IDP at all? I think we should assume a secure connection.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]