Re: XACML TC Charter Revision - Strawman

[bill parducci <bill@parducci.net>]

> In my former life as a consultant, I remember several conversations in which
> the person I was talking to was making such drastic assumptions about the
> untrustworthiness of certain components, that it seemed impossible to make
> any statement about the security properties of the system in question.

great anecdote! this is EXACTLY the same thing as basing a design
decision upon the absolute assurance that something cannot happen.
guaranteeing that an event is impossible is not realistic nor
recommended. at some point we have to stop quibbling over the problem
and address the solution.

> Security is a form of risk management and it is necessary to weigh both the
> probability of compromise and its impact.

thanks for reiterating my previous statements. since we cannot guarantee
absolute authentication, we are required to weigh the reality of
compromise to the inconvenience of limiting the exposure. therefore i
once again suggest that is in our best interest to do due diligence in
determining what the ramifications of discrete responses are. 

i am only trying to raise the awareness of the group that the best we
can do is to develop a system that is very hard to compromise. i will be
the first to admit that i am weak in formal security concepts, but do
have practical experience with hacking and have yet to see a system that
is invulnerable, particularly one that relies upon trust from a remote
system. 

that said, if the group decides that further investigation is not
worthwhile i will be happy to move onto another topic. otherwise, i will
continue reassert my premise that there is the possbility of compromise
and that the best recourse is to EVALUATE discrete response codes (or
any other option members may come up with, including silence) upon the
design, implementation and supportability of the specification. 

b