[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] We resolve ...
Hi > Should Hal and I interpret the silence to mean that everyone is ready > to vote in favour of Tim's proposals? i agree with the fact that the current proposal is able to implement the global deny scenario. no doubt about that: if you restrictions (i.e., the deny you want to enforce) ANDED with the other possible policies nobody will be able to overrule your restrictions. the reason why i am not too excited with the current proposal is that it seems perfectly fine for communicating policies, but it seems complex to manage. first of all you have to make sure that the applicable policy is in a single place (sure possibly using URL of other policies) but you cannot allow overlapping targets (which seemed to be the case till now, i believe). second the priority of your rules is explicitely managed with the policy definition, which may make adminitration heavy. Who is in charge of specifying the applicable policy? This will be the only one able to specify global deny: if understand Tim/Anne's proposals correctly possible negative authorizations in other policies have the effect only within that policy (this is fine with me, it seems conceptually clean). Now for instance, suppose you want to enforce a situation in which any of us can grant authorizations and, possibly denials, for some access and a denial-take-precedence policy should be enforced (meaning it sufficient that one of us says "deny (because of a negative authorization), and the access should be rejected. How do you enforce this? You cannot have the different administrators operate on the applicable policy (meaning actually have writing privilege on that document). I am not sure i will be in for the concall (if i can i will stay for the beginning). I have already talked to Ernesto will participate. The plan should be go over the issue to see champions and prepare for the F2F. If time allows discuss Anne/Tim's proposals and maybe postconditions, which were never discussed in details. best -p P.S., Simon have you circulated the alternative approach we talked about in the last concall?
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC