OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] [CR] Add Default-deny policy combination algorithm


On Thu, 22 Aug 2002, Anne Anderson wrote:

> On 22 August, Polar Humenn writes: Re: [xacml] [CR] Add Default-deny policy combination algorithm
>  > If we add that, we should probably add the analogous "Default-permit"
>  > algorithm as well to keep it semmetric.
>
> Default-deny is needed to prevent security breaches, such as
> having web services interpret NotApplicable as "Permit", where
> this is not the intent.
>
> Default-permit might be nice for symmetry, but it is not
> necessary.

Just because you have a reason for one, doesn't proclude the need for the
other. Why do you say it is not "necessary"?

I can just as well write a policy for saying that we don't allow anybody
in the role of Salesman in a the wash room, but permit anybody else

Default-Permit
{
	Role is "Salesman" - Deny
}

What's so unnecessary about that?

-Polar

> Anne
> --
> Anne H. Anderson             Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311     Tel: 781/442-0928
> Burlington, MA 01803-0902 USA  Fax: 781/442-1692
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC