OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] CR#17 Draft change to "Resource Matching" in"Security and Privacy Considerations"

  • 1.  [xacml] CR#17 Draft change to "Resource Matching" in"Security and Privacy Considerations"

    Posted 09-09-2002 19:23
    Draft change to "Security and Privacy Considerations" "Resource Matching" section: 1. Change title to "NotApplicable Results" A result of "NotApplicable" means that the PDP did not have a Policy whose Target matched the information in the Request. In some security models, such as is common in many Web Servers, a result of "NotApplicable" is treated as equivalent to "Permit". If "NotApplicable" is to be treated as "Permit", is it vital that the matching algorithms used by the Policy to match elements in the Request are closely aligned with the data syntax used by the applications that will be making the Request. A failure to match will be treated as "Permit", so an unintended failure may allow unintended access. A common example of this is a Web Server. Commercial http responders permit a variety of syntaxes to be treated equivalently. The "%" can be used to represent characters by hex value. In the URL path "/../" provides multiple ways of specifying the same value. Multiple character sets may be permitted and, in some cases, the same printed character can be represented by different binary values. Unless the matching algorithm used by the Policy is sophisticated enough to catch these variations, unintended access may be allowed. It is safe to treat "NotApplicable" as "Permit" ONLY in a closed environment where all applications that formulate a Request are closely aligned with the Policies used by the PDP. In a more open environment, where Requests may be received from applications that are not necessarily closely aligned with the Policies used by the PDP, it is HIGHLY RECOMMENDED that "NotApplicable" NOT be treated as "Permit" unless matching rules have been very carefully designed to match ALL possible applicable inputs, regardless of syntax or type variations. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692