Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] OpenSAML 2.0 custom data type help

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] OpenSAML 2.0 custom data type help


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Subject: Re: [OpenSAML] OpenSAML 2.0 custom data type help
  • Date: Mon, 09 Feb 2009 21:17:42 -0500


Scott Cantor wrote: 
I suppose one could argue that in any schema-typed world, XSD or otherwise,
that: if you want to care about schema validation, then you have to know a-
priori what you are willing to accept, based on out-of-band agreement.  And
if someone sends you something that you don't understand, then it *should*
fail, by design.
    

That would be too brittle a system, unfortunately.

Perhaps it is and probably is too brittle for for me as well.  My whole point though, is that if someone cares enough about data model validity and strictness that they want to do schema validation, then they probably want it brittle, by design.  They *want* it to fail if things happen outside of what they've pre-conceived and pre-arranged.

And (channeling those people), I'd say that's doubly so in a security system.  If the SAML AttributeValue I laxly accept as an XSAny/ElementProxy - and essentially ignore since by the same logic I don't know what it is and can't handle it  - contained data that, had I understood it, would have led me to deny access to a resource rather than grant, then that's probably not good.

And alternatively, if I understood it such that I can process it in the application layer as an XSAny/ElementProxy (by knowing the content model), then that implies I knew in advance what I'd be receiving, and just as easily could have handled it using the strong typing model with xsi:type, had I so chosen.  Just with a different mechanism.

Mostly I'm just playing devil's advocate, but I'm not 100% convinced that it's fundamentally broken, depends on the assumptions.  Probably most people don't want that level of strictness.  (But I bet if we had anybody here from the NSA, they'd disagree.)


  
That's exactly what it is, but in most cases, critical semantics are harmful to interop, and are certainly not universally desired. It would be fine if XSD had a way to signal that, but it treats all types as critical. There's no lax option for types, only wildcards.
  





Yes, I agree it would be nice if you could signal laxness for things
other than wildcards.  





























Archive powered by MHonArc 2.6.16.










    
  
    

  
  
Top of Page