Re: [sunxacml-discuss] XACML X.509 support
Brought to you by:
farrukh_najmi,
sethp
Menu
▾
▴
Re: [sunxacml-discuss] XACML X.509 support
|
From: Paul O'C. <pau...@ya...> - 2005-02-22 19:33:20
|
Such verification must be done within the context of a federation solution...it is the job of the federation tool to do the verification within the confines of a trust contract with the asserting party. Your authz engine can then solicit attributes via SAMLP... --- Mine Altunay <ma...@nc...> wrote: > Hi all > > How does a PDP verifies the validity/legitimacy of > claimed attributes in a > given request. For example, a subject attribute may > claim that the user is > a member of a developer group. Then, PDP would > evaluate this information > and decides the appropriate access decision for the > "developers". However, > how does the PDP verify that the said subject does > indeed a member of the > claimed group? What I see from PDP and request > examples is that a request > does not carry such proofs such as Attribute > credentials or identity > credentials. > > However,lack of such a support makes the authz > process very naive, > vulnerable against malicious users. > > Additionally, I am working with an identity-based > authz system that relies > on x.509 credentials. Therefore, for my PDP it is > important not only to > get an access decision, but also to verify that the > subject does indeed > have a valid certificate (or ACs or whatever the > policy calls). Right now, > I am using the xacml X500NameAttribute, however, it > does not really prove > that this subject indeed has an issued > certificate.(I am naively passing > the DN and hoping that the user is honest with it) > > If you could point me ways to provide such a > verification in my xacml > framework, I would be grateful. > > Also, do you see this verification problem as out of > the xacml scope or is > there already support in existing xacml framework > that perhaps I am > missing > > PS: I also thought about external means to send the > certificate after the > authz process but it is costly and redundant. > Thank you all > > -- > Mine Altunay > PhD student, > Computer Engineering Dept, NC State Univ > Phone: (919) 395 2789 > E-Mail:ma...@nc... > > > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT > Products from real users. > Discover which products truly live up to the hype. > Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > sunxacml-discuss mailing list > sun...@li... > https://lists.sourceforge.net/lists/listinfo/sunxacml-discuss > |
