[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Review of 10. Security and Privacy section
Hi,
[This is actually a review of the new text that Hal just submitted.]
Just a couple of questions.
1. Should this be called "Security and Privacy Considerations" instead of just "Security and Privacy"?
2. In the "Statement Level Confidentiality" section, 1st paragraph, it says "... a PRP only needs access to the target elements in order to find the appropriate rules". Should this say "rules/policies", or just "policies", instead of "rules"?
3. In the "Policy Integrity" section, 4th paragraph, it says "The PDP SHOULD NOT request a rule based on who signed the rule...". Should both occurrences of "rule" be "policy"?
4. In the "Resource Matching" section, 1st paragraph, it says "... the policy result of "Not Applicable" is treated as equivalent to "Permit" as is common in many web servers". I'm a bit surprised that this is true (although I probably shouldn't be!). In any case, we probably don't want to encourage this behaviour. Should we simply not mention this, or should we at least say that this behaviour is not recommended?
Carlisle.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC