Cart
[Home] [By Thread] [By Date] [Recent Entries]
At 12:31 PM -0500 1/6/04, Rich Salz wrote: >Conventional security practice says that the owner of the resource >determines the security policy, not the accessor. Either side >should be able to "shut down" a session, but the resource owner gets >to determine how long the session lasts, since their data is what is >at risk of exposure. Let's accept that "the owner of the resource determines the security policy, not the accessor." That's reaosnable and I won't disagree with it. Who's the owner of the resource? That's a very tricky question? Does the bank own the information about my bank balance or do I? Does slashdot own my posts there or do I? Does Apache own the "My Bugs" page for bugs I've reported for Xerces or do I? I don't think there's one answer here that fits all cases. I suspect in many cases it's a confusing mish-mash of conflicting ownership claims. Perhaps even the concept of "ownership" doesn't really apply. Perhaps what should really be at issue here is liability. If your bank takes liability for someone cracking your password then perhaps they have the right to set the access policy. However, if they claim you're liable when someone cracks your password, then you should be in control. Again I don't think there's one answer here that fits all cases. -- Elliotte Rusty Harold elharo@m... Effective XML (Addison-Wesley, 2003) http://www.cafeconleche.org/books/effectivexml http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA
|
