[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Resource sets and resource string semantics
I entirely disagree with the statements made by Hal.
First every Web server I have ever administered has grouped documents
together on the basis of access rights. I don't think it is unusual for this
to take place. I think it is the overwhelming norm.
The same was true when I built database systems and ran large VMS systems, I
would group files into directories by function and by access permissions. In
most cases the two went together.
Second who said anything about the PDP volunteering information?
PEP: Can Alice access http://www.hp.com/finance/fred.xls
[And what neighboring files can Alice access]
PDP: Yes, and Alice can access http://www.hp.com/*
To get a wildcard response the client should affirmatively request it:
<Respond>
<string>Decision
<string>Assertion
<string>ResourceWildcard
I don't think that the use case raised by HP was rare or unusual in the
slightest. It is the most commonplace type of operational optimization an
O/S level PEP is likely to perform.
The counter-example is VMS where the lack of a means of saying 'everything
in this directory and descendents has these permissions' led to some pretty
wierd ACL propagation rules which were a nightmare.
In fact since many Web protocols specify a default resource, having a means
of distinguishing the directory permissions from permissions on the default
resource is likely to be essential.
I think it is much better that the standard propose a means of optimizing
the PEP-PDP conversation rather than have multiple ad-hoc optimization
schemes develop.
I do not see an interoperability problem here:
1) A Client that does not support Resource Wildcard never specifies
it in a request
2) A server that does not support Resource wildcard on part or all
of the database simply ignores the Respond keyword and does not generate a
wildcard resource in the response.
Phill
Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227
> -----Original Message-----
> From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
> Sent: Monday, May 07, 2001 4:47 PM
> To: 'Philip Hallam-Baker'; 'Edwards, Nigel'; Hal Lockhart;
> security-services@lists.oasis-open.org
> Subject: RE: Resource sets and resource string semantics
>
>
> I think before we discuss HOW to do this sort of thing we
> should discuss
> whether it desirable.
>
> > The way I would see the conversation going is:
> >
> > PEP: Can Alice access http://www.hp.com/finance/fred.xls
> > PDP: Yes, and Alice can access http://www.hp.com/*
> >
> > PEP: Can Alice access http://www.hp.com/finance/mary.xls
> > PEP-Cache: Yes
>
> I feel very uncomfortable about the PDP volunteering
> information it has not
> been asked for. It seems to add various kinds of risks without clear
> benefit.
>
> > I don't like the idea of unconstrained wildcard matching etc.
> > However simple
> > hierarchical partitioning is probably enough for what we
> > need. After all the
> > admin will probably organize directories so that the wildcards match
> > cleanly.
>
> Our experience has been that this is not the case. Names are
> chosen for
> reasons other that access patterns. A naming scheme which
> works for one
> category of user does not fit another.
>
> This would seem to me to optimize a rather rare situation,
> while adding
> various risks.
>
> Hal
>
Phillip Hallam-Baker (E-mail).vcf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC