IBM Mainframe Discussion List <[email protected]> wrote on 07/20/2007 02:50:03 PM:
> On Fri, 20 Jul 2007 12:03:16 -0400, Jim Mulder <[EMAIL PROTECTED]> wrote: > > > > > The default was changed to ALLOWUSERKEYCSA(NO) in z/OS 1.9. > > > > Wow! I am surprised that the default is being changed so soon when > 90%+ (just a swag) of all shops will have to change it. I'm glad > to see the quick progress. But I'm not so sure that introducing a > new function in one release with one default and then changing the default > in next release is a good thing (yes, I know this has really been there for > a long time). If the OS was ready for it when the official support came > in, the default could have been NO then (same migration action, justearlier). I originally wanted to start right out with a default of NO in 1.8, but Bob Rogers talked me out of it, so I instead settled for stern language in the description of the parameter in Initialization and Tuning Reference. Even there, the writer of the manual (in China) wanted to water down "IBM recommends" to "IBM suggests" (because "IBM Style", whatever that is, discourages the use of "IBM recommends"). I still wanted to move to a default of NO quickly, as the slow progress in eliminating user key CSA convinced me that the sledgehammer approach was required. Hopefully, having to explain to security auditors why use of product X requires overriding IBM's recommendation, default, and HealthChecker will be a sufficiently large sledgehammer. Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
