OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

  • 1.  Attribute validation

    Posted 10-31-2008 08:47 
    




    

    Assuming the 
PEP uses digital signatures in SAML wrapped XACML (or for that matter 
SSL) as a means to authenticate with the PDP and to protect the 
integrity of the request, would it ever be a possible case where the attributes 
in the request have not been validated as legitimate by the PEP ? The signature 
only establishes the authenticity and integrity, but the requestor makes no 
claims about the validity of the attributes. In such cases, should not the PDP 
make these validations in order to circumvent a possible security attack ? 
    

     
    

    Regards,
    

    Anil


  • 2.  Re: [xacml] Attribute validation

    Posted 10-31-2008 13:15 
    Anil,

If the PEP sends incorrect attributes to the PDP, then it's the problem 
of the PEP itself. The PDP does not care, and should not.

Regards,
Erik

Anil Tappetla (atappetl) wrote:
> Assuming the PEP uses digital signatures in SAML wrapped XACML (or for 
> that matter SSL) as a means to authenticate with the PDP and to 
> protect the integrity of the request, would it ever be a possible case 
> where the attributes in the request have not been validated as 
> legitimate by the PEP ? The signature only establishes the 
> authenticity and integrity, but the requestor makes no claims about 
> the validity of the attributes. In such cases, should not the PDP make 
> these validations in order to circumvent a possible security attack ?
>  
> Regards,
> Anil


Related Content