[Standards-JIG] JEP-163 (SPPS) comments

Hal Rottenberg halr9000 at gmail.com
Sun Jan 29 20:44:57 UTC 2006


On 1/29/06, Kevin Smith <kevin at kismith.co.uk> wrote:
> > For all three of these, I think the "MUST allow" should be "SHOULD
> > allow", to account for other potential access controls that the
> > server may know.  One example might be ethical boundaries enforced
> > by a policy engine.
> Can you give an example? I'm keen on spps staying as simple and well
> defined as possible and only allowing doubt where absolutely necessary.

I can.  Take your average government agency.  In the U.S. at least, a
lot of the technology they use must support not only DAC
(discretionary access control lists) but MAC (mandatory).  Meaning I
can choose to share some data with Joe, but only if the MAC has been
satisfied first.  He may not have the appropriate security clearance.

Therefore, our hypothetical gov't jabber server may have an added
layer of security that checks the LDAP for fields which correspond to
a person's department, rank, clearance level, function, whatever. 
This is the policy engine JH referred to.

We don't want the JEP to prevent the evolution of this type of system.


--
Psi webmaster (http://psi-im.org)
im:hal at jabber.rocks.cc
http://halr9000.com



More information about the Standards mailing list