Shibboleth Developers

[Brent Putman <>]

FWIW, I was recently going over XACML.  The XACML 2.0 core spec document
specifically calls out the danger of negative rules in their security
and privacy considerations discussion, see section 9.1.7.  They discuss
the attribute suppression issue/danger, as well as a second danger,
namely that of a change in the meaning/composition of the base group
that is allowed access (i.e. those that don't have the "denial
attribute", where the negation is used in a "subtractive" manner from
this base group) without a corresponding change in the policy rule(s). 
The XACML policy language does allow such rules, but with the caveat
"... it is recommended that they be used with care and avoided if possible."

--Brent



Scott Cantor wrote:
> I'm going through old bugs and requests so I can close out feature
> development, and I ran into one I'm not sure whether to implement or not.
>
> https://bugs.internet2.edu/jira/browse/SSPCPP-48
>
> I'm going to redo the htaccess logic anyway, because it's horrible to read,
> and it's inefficient anyway, but adding negation concerns me. I can do it,
> the other ACL plugin already supports the idea, but when I started thinking
> about how to deal with null/missing data, I realized that this is
> potentially dangerous to rely on.
>
> Basically, saying that the presence of a value triggers a denial of access
> is very dependent on attribute release never falling into the user's hands.
> If I can gain access simply by refusing the release of some of my
> attributes, obviously I will.
>
> So even though I supported NOT rules in my XML plugin, I'm not so sure this
> is a good thing to add to htaccess. It's also very confusing when you
> combine it with ShibRequireAll and that whole mess. I'm thinking this might
> be better left alone.
>
> Thoughts?
>
> -- Scott
>
>