Re: [Policy] ACTION-152: Merging NOKIA's input into the policy framework doc

Hi,

In general I support Laura's proposal, though I think a number of details
> are going to have to be worked out. It makes a lot of sense from the point
> of view of policy management to make the simplifying assumption that trust
> and access policies are orthogonal and can be specified and managed
> separately. But it is certainly the case that trust and access policies do
> tend to get intertwined in practice:
>

I agree with the principle that we should seek to be able to define them
independently in the way that the Nokia model does, so the next step is to
work through these details and see what we find.

There are clearly some simple cases we can deal with. For example, in a
BONDI policy you can have a subject match as a condition in an individual
rule, as well as in the target of a policy. However, you could model an
equivalent policy by putting that rule in its own policy, combined with the
others in the appropriate way, and move the subject match out of the rule
and into the (new) enclosing policy.

The issues of the overlap, predecence, etc of policy targets (== trust
domains) will be more complex but I think that it will be possible to
establish a mapping for most or all cases.

Thanks - Paddy

Received on Wednesday, 12 May 2010 13:48:15 UTC