Re: [Geopriv] RE: [Simple] Changes in xcap-auth

From: Henning Schulzrinne ^lt;hgs@cs.columbia.edu>
Date: Fri Nov 07 2003 - 16:27:21 EST

[Trimming cc list]

This doesn't work under the GEOPRIV design assumption, where permissions
may be composed from multiple source and where some of these sources may
(temporarily) be unavailable. While it is privacy-safe to omit
unavailable sources if you can only add permissions, it is distinctly
unsafe to ignore external references if you subtract permissions.

Even if you ignore this particular aspect, subtracting permissions does
not work as in the basic arithmetic. (It's closer to set operations,
actually.)

I'm guessing that a user expects that once a permission has been
subtracted, it can't get added back in by some other rule that also
happens to match. If you enforce this, you have to enforce ordering on
the way that permissions are computed: you have to first compute the
additive permissions for each field, then compute all the negative
permissions and remove them again. Thus, ordering matters and it becomes
really difficult to understand the interaction of multiple rule makers
that operate in sequence (personal policy plus corporate policy).
Naturally, this also significantly complicates the computation of
permissions.

If you do allow 'sticky' negative permissions (override everything) and
non-sticky ones (get overridden), you have now further increased the
complexity of the rule computation and decreased the predictability of
the system.

Thus, while it may seem easy to think of adding and subtracting
permissions as commutative and associative mathematical operations, they
are not really.

The biggest danger with security rule systems is unpredictable behavior,
i.e., where the rules get sufficiently complex that the user makes
mistakes in anticipating what exactly will happen under certain
circumstances. Teaching users about the intricacies of sticky and
non-sticky set operations does not seem, to me, a way to increase system
predictability.

Alex Audu wrote:

> All this is not too clear to me yet, but an exception can be viewed
> simply as a form negative addition. Therefore it theoretically shouldn't
> violate the "additive permissions theory".
>
> The idea of a black list works fine in an enterprise type environment.
> I think I see value in it.
>
> Regards,
> Alex.
>

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www1.ietf.org/mailman/listinfo/geopriv
Received on Fri Nov 7 16:29:21 2003

This archive was generated by hypermail 2.1.8 : Thu Jan 22 2004 - 12:32:24 EST