[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Negative Policies
If we are to provide for multiple policy models, I don't think we can really judge whether a policy model is dangerous or not. The fact is, some people do use this model, even if we consider it dangerous - usually for the practical reason Bill mentioned.
Ken Yagen
Director, Software Development
CrossLogix, Inc
www.crosslogix.com
-----Original Message-----
From: bill parducci [mailto:bill@parducci.net]
Sent: Wednesday, September 19, 2001 4:01 PM
To: xacml@lists.oasis-open.org
Subject: Re: Negative Policies
two things:
1. negative policies based upon identity live in a bounded universe. it
is not possible to change the deterministic properties of that universe
unless multiple entities have the same identity (a very poor
implementational decision even when separated by time). this is why i suggested
that negative policies be limited to identity and not be based upon
attributes.
2. from a practical standpoint, preventing 1 identity in 10,000
from having access to a resource requires one negative policy or 9,999
positive policies.
ok, 3 things:
why is it mandatory for a negative policy to fail open? if by that you
mean the rules of determination yield an undesired result, this is
addressed above (i.e. shouldn't happen with the aforementioned constraints.)
if you are suggesting that modification of the inputs in an unplanned manner
is not deterministic, the resulting action an implementation issue.
b
On Wed, 2001-09-19 at 14:52, Hal Lockhart wrote:
> At the F2F I raised the issue of negative policies. Although I still believe
> they are dangerous and should be avoided, the group has largely convinced me
> we will have to provide for them.
>
> I would, however like to address one specific point. I asserted that one of
> the reasons that negative policies are bad is that sooner or later, the
> universe that negative is defined in will be changed, thus changing the
> semantics of the policy even though the policy itself has not been modified.
>
> Carlisle pointed out quite correctly that the same thing happens for
> positive policies and asked why the situation is not symmetrical.
>
> Later I realized the answer. Positive policies fail closed, negative
> policies fail open. Failing closed (default deny) is preferable for two
> related reasons. First is the general security practitioner paranoid view
> that good security means that things should only be allowed if explicitly
> specified. (Cheswick and Bellovin refer to the choice between this and its
> opposite as the security "stance".)
>
> The second is purely practical. If new resources are added (for example) and
> users can not get to them, the users will complain and the admin will fix
> the policy. This is a nuisance, but no big deal.
>
> If on the other hand, new resources are added and anybody can get at them,
> no one will notice, except possibly the bad guys, who are unlikely to
> complain.
>
> Hal
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC