[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Policy-wise Server profile doc
I feel there may be a need to separate out those controls which come from the requester and those which are a set of "policy controls" which come from an authority in separate optional inputs. Nick > -----Original Message----- > From: Trevor Perrin [mailto:trevp@trevp.net] > Sent: 22 March 2004 17:01 > To: Paul Madsen > Cc: dss@lists.oasis-open.org > Subject: RE: [dss] Policy-wise Server profile doc > > > At 10:24 AM 3/22/2004 -0500, you wrote: > > >Hi Trevor, just to summarize, you question the relevance of supporting > >signed policy statements, partly because of complexity and > partly because of > >the fact that, as the DSS Server must already trust its client > to send only > >valid requests, it might as well also trust it to send policy. > > > >With respect to complexity, I'm sure we could support signed > policy with a > >minimum of additional complexity. > > > >With respect to the latter, to my mind, you are conflating two different > >trust decisions that the DSS Server needs to make - 'Is the > request coming > >from a trusted client?' and 'Do any policy statements in the request come > >from a trusted policy authority (that is authoritative for the > document to > >be signed and the eventual recipient)?' > > > >The DSS Server makes the first trust decision based on the > identity of the > >requestor and some criteria that defines the community of > trusted clients. > > > >The DSS Server makes the second trust decision based on the origin of the > >policy statements, and some combination of the nature of the doc being > >signed and the eventual recipient. > > > >It may be the case that the two communities - 'trusted clients' > and 'trusted > >policy authorities' are the same. > > That's a good summary - I guess I think that the 1st community is > a subset > of the 2nd - trusted clients are also trusted policy authorities. > > Or at least, if you trust them to send the input documents, you should > trust them to the lesser degree of sending policy. > > Trevor > > > To unsubscribe from this mailing list (and be removed from the > roster of the OASIS TC), go to > http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_wor kgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]