On Thu, Sep 25, 2008 at 04:12:33PM +0200, Darren Reed wrote:
> Nicolas Williams wrote:
> >Or, better yet, why not replace "policy"/"apply_to" with "blacklist"/
> >"whitelist"?
>
> This is bikeshed'ing...and you've forgotten grey...or it gray and not grey?
Yes, it is bikeshed painting. I knew that before I posted, but then,
when it comes to security UIs, they'd better not be confusing, don't you
think?
I do, so I thought the comment worth making, even if it contravened ARC
etiquette.
> IMHO, I prefer to see relevant policy words that are in common use elsewhere
> in the industry for control words. Nowhere else in [Open]Solaris do we have
> the concept of "white" and "black" (that I'm aware of), so it would seem
> extremely inappropriate to introduce that new concept here.
Perhaps, but those terms ("whitelist" and "blacklist") are widely in use
in general. And as for 'allow' being "the most restrictive mode" --
that's confusing!
Where else in Solaris do we have an example of such a design?
> >Why do we need 'host'/'subnet' when we have CIDR notation? And if
> >there's no hostnames then we don't need 'if' for interface names either.
>
> I'd rather it be possible to be explicit in nature about the nature of
> what an object is, when it comes to security, so that you are in a
> better position to try and catch simple mistakes.
>
> For example, if someone put in "host:192.168.84.14/24", because they
> did a copy paste from somewhere else, what does that mean? Isn't it
> better to say "ok, they wanted a host, gave me a CIDR so I'll give
> them an error" than to just accept it and try to guess that the user
> wanted a network instead of a host, possibly creating a security
> exposure?
Without the 'host:' part there would be no question of confusion.
OTOH, dropping the type is only workable IFF you think you can keep the
list elements' syntaxes unambiguously distinct. That's true for IPv4
and IPv6 addresses, and for interface names, but if you want to allow
names of other things (e.g., hostnames, network names, ...) then I
agree, you need a type specifier.
So if you answer is "we have the type specifier for extensibility w/o
ambiguity" then I think that's enough.
> >Why not just have '!' notation in apply_to instead of this exceptions
> >property?
>
> Thinking of it in terms of usability, it would seem better (to me), to
> have a list of things you allow and a list of exceptions to that list,
> rather than a combined list that you need to sift through to work out
> what's what.
Not convincing, but then, I don't care much about this.
Nico
--
