[
Lists Home |
Date Index |
Thread Index
]
At 12:31 PM -0500 1/6/04, Rich Salz wrote:
>Conventional security practice says that the owner of the resource
>determines the security policy, not the accessor. Either side
>should be able to "shut down" a session, but the resource owner gets
>to determine how long the session lasts, since their data is what is
>at risk of exposure.
Let's accept that "the owner of the resource determines the security
policy, not the accessor." That's reaosnable and I won't disagree
with it. Who's the owner of the resource? That's a very tricky
question? Does the bank own the information about my bank balance or
do I? Does slashdot own my posts there or do I? Does Apache own the
"My Bugs" page for bugs I've reported for Xerces or do I? I don't
think there's one answer here that fits all cases. I suspect in many
cases it's a confusing mish-mash of conflicting ownership claims.
Perhaps even the concept of "ownership" doesn't really apply. Perhaps
what should really be at issue here is liability. If your bank takes
liability for someone cracking your password then perhaps they have
the right to set the access policy. However, if they claim you're
liable when someone cracks your password, then you should be in
control. Again I don't think there's one answer here that fits all
cases.
--
Elliotte Rusty Harold
elharo@metalab.unc.edu
Effective XML (Addison-Wesley, 2003)
http://www.cafeconleche.org/books/effectivexml
http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA
|
