[cap-talk] forging SAML security assertions in Zebra Copy
Karp, Alan H
alan.karp at hp.com
Mon Feb 23 16:51:31 EST 2009
John Carlson wrote:
>
> Say I wanted to create an unforgeable/unmodifiable query language
> expression. It doesn't need to be in the assertion--however, it would
> be convenient for debugging purposes to put it in the assertion. The
> unforgeable/unmodifiable is the primary requirement. I realize I
> could put query language expression in a directory stored under a
> swiss number on a server somewhere, but if I did that, then the client
> might not be able to tell what query language expression is being
> invoked. On the other hand, I believe if the query language
> expression was exposed to the end user, a type of confused deputy
> could occur--that is, the query language expression might be different
> than the capability. If I could guarantee that the query language
> expression were the same as the capability, that would be ideal.
>
You may put any application dependent restrictions you like in an Attribute tag in the Authorization assertion. We assume that the service itself is responsible for interpreting these restrictions.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list