[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [CR] Add Default-deny policy combination algorithm
On Thu, 22 Aug 2002, Anne Anderson wrote: > On 22 August, Polar Humenn writes: Re: [xacml] [CR] Add Default-deny policy combination algorithm > > If we add that, we should probably add the analogous "Default-permit" > > algorithm as well to keep it semmetric. > > Default-deny is needed to prevent security breaches, such as > having web services interpret NotApplicable as "Permit", where > this is not the intent. > > Default-permit might be nice for symmetry, but it is not > necessary. Just because you have a reason for one, doesn't proclude the need for the other. Why do you say it is not "necessary"? I can just as well write a policy for saying that we don't allow anybody in the role of Salesman in a the wash room, but permit anybody else Default-Permit { Role is "Salesman" - Deny } What's so unnecessary about that? -Polar > Anne > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC