OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] proposed amendment to Polar's resolution of PM-2-05

On Wed, 10 Apr 2002, bill parducci wrote:

> i don't wish to dwell on this because i think that we have a decision
> that all can agree with.
> > But the much more important reason in the context of this debate, is that
> > the PEP MUST be a trusted component! The PEP is responsible for enforcement.
> > If the PEP is subverted, it can ignore what the PDP says and allow any sort
> > of access it likes. It can even refuse to consult the PDP.
> rule #1 in hacking: prey upon assumptions. how do you know you are
> talking to the PEP?

C'mon. The PDP or what ever you call it, must authenticate its client (PEP
or anything else) to a level where it can trust even giving out an
Authorization Decision, let alone extra sensitive information.

Of course, you can make the PDP as secure as a brick, then you can throw
it a things.


> implementers can choose to ignore as it may not be worth reducing the
> desired feature set, however it is a risk.
> b
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC