BTG issues

[David Chadwick <d.w.chadwick@kent.ac.uk>]

Dear All

from the in depth discussions we have had on the call today, I have 
listed the following issues and their current state of resolution

1. Should there be a BTG state attribute. Unanimously agreed by the call 
that there should be.

2. Should there be a standardised BTG response from the PDP (vs. user 
knows by magic that he can break the glass). Majority in favour of this 
but its not yet unanimous.

3. When the BTG action is granted, should there be either an obligation 
in the policy to set the BTG state vs. a special purpose application 
such as a Glass manager that knows it has to set the state. There is no 
agreement on this issue yet.

4. Should the BTG mechanism only use existing components in standard 
mode. This was agreed unanimously.

5. Can BTG be made into a more generic model (e.g. to include dynamic 
roles or alert status) rather than being specific to BTG. David proposed 
yes, if we replace BTG by the general concept of a third class of user 
who is entitled to override a Deny if he is willing to take the 
consequences, then we can remove all mention to BTG and call it 
Controlled Access Override

6. Should different mechanisms be used for inter organisational use case 
vs. intra organisational use case. David proposes this issue is out of 
scope of the discussion since it is not an issue addressed in general by 
XACML.

7. Should the standardised BTG response (if there is one) contain advice 
to the user which details the obligations that will be carried out if he 
decides to override the deny (so the user knows in advance what the 
outcomes of his override will be). General feeling that this is a good 
thing.

8. What are the dimensions of the state attribute and should it be 
standardised how these dimensions are specified? This issue was not 
discussed in the call today, but has been raised on the list. There 
seems to be general agreement that the state is multi-dimensional and 
based on attributes of the subject, action, resource and environment.

I would propose that we address issue 5 first in more depth, since this 
concerns scoping of the work, and whether it is restricted to BTG or to 
a more general concept of there being some class of user (as specified 
in the policy) who is able to turn a deny into a grant.

regards

David


-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************