I agree. I can see this being added to the checklist for auditors. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Paul Gilmartin Sent: Monday, May 05, 2008 9:51 AM To: [email protected] Subject: Re: allowuserkeycsa
On Mon, 5 May 2008 09:05:27 -0500, John P Kalinich wrote: > >Instead of an all inclusive ALLOWUSERKEYCSA=YES, why not something like >ALLOWUSERKEYCSA=(program1,program2,...) for situations where there is no >source code or support. > But the hazard is manifest not when an authorized program obtains storage in a user key, but when an unauthorized program modifies that storage. Perhaps the solution would be to allocate user key CSA only in a subpool that would be segment-protected from modification by programs which are not APF authorized. In the long term, integrity exposures must be covered; no exceptions nor grandfather clauses. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
