OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: Negative Policies

> Later I realized the answer. Positive policies fail closed, negative
> policies fail open. Failing closed (default deny) is preferable for two
> related reasons. First is the general security practitioner paranoid view
> that good security means that things should only be allowed if explicitly
> specified.

negative policies fail open if negative authorizations is the only thind
you have (meaning you stick to the classical open policy of "i
support *only* negative authorizations and whatever i do not deny it is
allowed). i do not believe that this was ever the case in our discussion.

best
-p

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC