On Mon, 5 May 2008 09:51:04 -0500 Paul Gilmartin <[EMAIL PROTECTED]> wrote:
:>On Mon, 5 May 2008 09:05:27 -0500, John P Kalinich wrote: :>>Instead of an all inclusive ALLOWUSERKEYCSA=YES, why not something like :>>ALLOWUSERKEYCSA=(program1,program2,...) for situations where there is no :>>source code or support. :>But the hazard is manifest not when an authorized program obtains :>storage in a user key, but when an unauthorized program modifies :>that storage. Perhaps the solution would be to allocate user key :>CSA only in a subpool that would be segment-protected from :>modification by programs which are not APF authorized. Why would one do that? Non-Key8 CSA need not be fetch protected. This would be more than overkill. :>In the long term, integrity exposures must be covered; no :>exceptions nor grandfather clauses. -- Binyamin Dissen <[EMAIL PROTECTED]> http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
