HERAS-AF Forum
Welcome, Guest. Please login or register.
Did you miss your activation email?
May 20, 2012, 11:01:02 am

Login with username, password and session length
Search:     Advanced search
Welcome to the HERAS-AF Forum...
373 Posts in 89 Topics by 272 Members
Latest Member: Jasmine
* Home Help Search Login Register
+  HERAS-AF Forum
|-+  HERAS-AF
| |-+  XACML (Moderator: Florian Huonder)
| | |-+  X500 Name Match unclarity		 « previous next »
Pages: [1] Print
Author Topic: X500 Name Match unclarity  (Read 1294 times)
Florian Huonder
Administrator
Full Member
*****
Posts: 129



View Profile WWW
« on: May 27, 2009, 08:57:17 am »
Hi,

There are some obscurities regarding to the X500 name match functions in the XACML 2.0 specification.
The function of interest ist the urn:oasis:names:tc:xacml:1.0:function:x500Name-match.
The obscurity is about the term terminal sequence that is not defined in any X500 spec. It only appears here in the XACML 2.0 Spec. So it is in fact not defined.

We from HERAS-AF implemented to function the following way:
Code:
public Object handle(Object... args) throws FunctionProcessingException {
try {
if (args.length != 2) {
throw new FunctionProcessingException(
"Invalid number of parameters");
}
String[] expectedName = ((X500Principal) args[0]).getName(
X500Principal.RFC2253).split(",");
String[] comparedName = ((X500Principal) args[1]).getName(
X500Principal.RFC2253).split(",");
for (int i = 0; i < expectedName.length; i += 1) {
boolean found = false;
for (int k = 0; k < comparedName.length; k += 1) {
if (expectedName[i].trim().equals(comparedName[k].trim())) {
found = true;
}
}
if (!found) {
return false;
}
}
return (true);
} catch (ClassCastException e) {
throw new FunctionProcessingException(
"The arguments were of the wrong datatype.");
} catch (FunctionProcessingException e) {
throw e;
} catch (Exception e) {
throw new FunctionProcessingException(e);
}
}
Our implementation returns true if all elements of the comparedName are contained in the expectedName, in any order.

Another interpretation of terminal sequence could be that only the terminus of a x500 name must match.
So e.g.:
expected: CN=Foo, DC=bar, DC=ch
provided:  CN=Foo, DC=bar, DC=ch (would match)
provided: CN=Foo, DC=bar, DC=org (would not match)
provided: CN=Foo, DC=xy, DC=ch (would match)

This function could be implemented something like:
candidateDN.getName(X500Principal.CANONICAL).endsWith(target.getName(X500Principal.CANONICAL))


Based on the conformance tests of XACML 2.0, conformance test IIC084, both interpretations could be true.

I am stucked a little bit here, therefore I addressed this question to the XACML TC comments mailing list.
I am going to post their response here as soon as possible.
« Last Edit: May 27, 2009, 09:04:44 am by Florian Huonder » Logged
Florian Huonder
Administrator
Full Member
*****
Posts: 129



View Profile WWW
« Reply #1 on: May 27, 2009, 03:22:37 pm »
http://lists.oasis-open.org/archives/xacml-comment/200905/msg00000.html

http://lists.oasis-open.org/archives/xacml/200905/msg00026.html
Logged
Florian Huonder
Administrator
Full Member
*****
Posts: 129



View Profile WWW
« Reply #2 on: June 05, 2009, 09:15:03 am »
The XACML TC discussed this issue in their weekly TC-meeting yesterday.

Erik Rissanen also commented on the XACML-List on how to interprete the functionality of the x500NameMatch function.
http://lists.oasis-open.org/archives/xacml/200906/msg00005.html

The function is meant as following:
The first argument (a sequence) must be fully contained in the second argument.
E.g.
first argument: ou=xacml,o=oasis
second argument: dn=alice,ou=xacml,o=oasis

would result in:
x500-equal -> false
x500-match -> true

The TC will review and edit the verbiage of the match-function in the spec.
http://lists.oasis-open.org/archives/xacml/200906/msg00010.html
Logged
Pages: [1] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines Valid XHTML 1.0! Valid CSS!