On Mon, 17 Dec 2001, Anne Anderson wrote:
> On 17 December, Polar Humenn writes: Re: [xacml] [Model] Re: Composition Use Case
> > > I don't think the language syntax itself can handle the matching
> > > rules for real-world sets of attributes. I think the language
> > > must have a way of pointing to executables for handling the
> > > matching.
> >
> > And what assurance do you have that the executable does the right thing?
>
> The pointer to the executable should be supplied by the policy
> issuer, as a reflection of the issuer's intent.
What guarrantee does the policy issuer have that the executable will not
change at the time of issuance. More over, what assurance does the policy
evaluator have that the pointed to executable will not do something bad,
like creating a covert channel?
> The policy itself, which contains the pointer, must be signed.
Why? Cannot the policy be retrieved from a trusted source?
> The executable can be signed (either by the policy issuer or by a
> delegate), or the signed policy that contains the pointer could
> contain a hash of the executable. There are certainly other ways.
By what method will the "executable" be signed? How can that "hash of the
executable" be interoperable, say if it's linked on a variety of different
platforms?
And how does one retreive this executable should you not have one?
Cheers,
-Polar
> Anne
> --
> Anne H. Anderson Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311 Tel: 781/442-0928
> Burlington, MA 01803-0902 USA Fax: 781/442-1692
>