OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip a

[ Lists Home | Date Index | Thread Index ]

At 12:31 PM -0500 1/6/04, Rich Salz wrote:

>Conventional security practice says that the owner of the resource 
>determines the security policy, not the accessor.  Either side 
>should be able to "shut down" a session, but the resource owner gets 
>to determine how long the session lasts, since their data is what is 
>at risk of exposure.

Let's accept that "the owner of the resource determines the security 
policy, not the accessor." That's reaosnable and I won't disagree 
with it. Who's the owner of the resource? That's a very tricky 
question? Does the bank own the information about my bank balance or 
do I? Does slashdot own my posts there or do I? Does Apache own the 
"My Bugs" page for bugs I've reported for Xerces or do I? I don't 
think there's one answer here that fits all cases. I suspect in many 
cases  it's a confusing mish-mash of conflicting ownership claims.

Perhaps even the concept of "ownership" doesn't really apply. Perhaps 
what should really be at issue here is liability. If your bank takes 
liability for someone cracking your password  then perhaps they have 
the right to set the access policy. However, if they claim you're 
liable when someone cracks your password, then you should be in 
control. Again I don't think there's one answer here that fits all 

   Elliotte Rusty Harold
   Effective XML (Addison-Wesley, 2003)


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS