[486] in WWW Security List Archive
Re: Barring Bros Was:Re: SLL protocol implementation ?
daemon@ATHENA.MIT.EDU (Vince L. Reed)
Wed Mar 1 14:16:09 1995
Date: Wed, 1 Mar 1995 09:46:34 -0600
To: www-security@ns2.rutgers.edu
From: vreed@mitre.org (Vince L. Reed)
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>There are many types of integrity models. Actually, I like the
>way the NIST/ECMA TR46 (Software Engineering Frameworks) document
>categorizes "security". The call it "Policy Enforcement" and
>break it into three areas: Confidentiality, Integrity, and Conformance.
>Under each are Mandatory and Discretionary policies.
>
>It would be nice to see the Web community start to deal with "security"
>on a holistic basis. Really need to develop some example business models
>and define the Policy Enforcement attributes. I seem to remember
>Jeff Hostetler (Spyglass) advocating that kind of an idea.
Ken,
I couldn't agree more. The work at the NIST and the NCSC on the new Federal
and Common Criteria on integrity does indeed define some MAC and DAC
policy, but it does not go far enough as I've already commented on to these
organizations. In their defense, it is extremely difficult to hypothesize
policy without some insight into potential or example applications. That's
where I think the idea of some business models is right on target.
Vince Reed (Mail Stop ALAB)
The MITRE Corp., Secure Information Technology Dept.
1500 Perimeter Pkwy., Suite 310, Huntsville, AL 35802
Phone-205.890.3323, FAX-205.830.2608