MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Re: [xacml] [CR] Add Default-deny policy combination algorithm
On Thu, 22 Aug 2002, Anne Anderson wrote:
> On 22 August, Polar Humenn writes: Re: [xacml] [CR] Add Default-deny policy combination algorithm
> > If we add that, we should probably add the analogous "Default-permit"
> > algorithm as well to keep it semmetric.
>
> Default-deny is needed to prevent security breaches, such as
> having web services interpret NotApplicable as "Permit", where
> this is not the intent.
>
> Default-permit might be nice for symmetry, but it is not
> necessary.
Just because you have a reason for one, doesn't proclude the need for the
other. Why do you say it is not "necessary"?
I can just as well write a policy for saying that we don't allow anybody
in the role of Salesman in a the wash room, but permit anybody else
Default-Permit
{
Role is "Salesman" - Deny
}
What's so unnecessary about that?
-Polar
> Anne
> --
> Anne H. Anderson Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311 Tel: 781/442-0928
> Burlington, MA 01803-0902 USA Fax: 781/442-1692
>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC