Hi Fred Only true security expert can express this concern :-) I agree that putting a private stuff inside a public policy may not be desirable. As I said, I'm not trying to suggest that "private stuff in public policies" is the only true way to go. I just feel it might be handy sometimes to be able to do so. We can put the private stuff into features. I'm not certain it will guarantee that no leakage will occur though :-) though it will be user's responsibility to keep that private info safe which is better for runtime :-)
Cheers, Sergey ----- Original Message ----- From: "Fred Dushin" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Monday, September 24, 2007 4:35 PM Subject: Re: Policies and features (Was : WS-SX) > Another is information "leakage". I am uncomfortable with putting > sensitive security information in a service contract (such as a > private key password), and just trusting the runtime to not publish > it. How would an auditor be assured this information is not disclosed? > > -Fred > > On Sep 24, 2007, at 10:43 AM, Glynn, Eoghan wrote: > >> Now one advantage of the alternative approach (public stuff in the >> policy, private stuff in the feature, merge at runtime) is that >> this is >> pretty close to what we have right now. We don't enforce the >> distinction, but for certain policies/features it is possible to >> follow >> that pattern. ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
