OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] [CR] Add Default-deny policy combination algorithm

  • 1.  Re: [xacml] [CR] Add Default-deny policy combination algorithm

    Posted 08-22-2002 15:46
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] [CR] Add Default-deny policy combination algorithm


    On Thu, 22 Aug 2002, Anne Anderson wrote:
    
    > On 22 August, Polar Humenn writes: Re: [xacml] [CR] Add Default-deny policy combination algorithm
    >  > If we add that, we should probably add the analogous "Default-permit"
    >  > algorithm as well to keep it semmetric.
    >
    > Default-deny is needed to prevent security breaches, such as
    > having web services interpret NotApplicable as "Permit", where
    > this is not the intent.
    >
    > Default-permit might be nice for symmetry, but it is not
    > necessary.
    
    Just because you have a reason for one, doesn't proclude the need for the
    other. Why do you say it is not "necessary"?
    
    I can just as well write a policy for saying that we don't allow anybody
    in the role of Salesman in a the wash room, but permit anybody else
    
    Default-Permit
    {
    	Role is "Salesman" - Deny
    }
    
    What's so unnecessary about that?
    
    -Polar
    
    > Anne
    > --
    > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    > Sun Microsystems Laboratories
    > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
    > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    >
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC