> > Two areas that don't seem to immediately lend themselves to design/ > spec > level solutions are (1) transitive trust and (2) interaction errors > between multiple components that are all working correctly. I'd > love to > hear from people who've had to solve these problems in the real world. > Based on what I see in CVE, it seems that the answer for item 2 is > usually > for one component to choose to conform to another's expectations, > and that > conforming component isn't always the one that "should" be changed.
Those are both definitely apparent at design time. Paraphrasing Bob Blakley, applications are built on composition, but most security protocols are point to point and don't compose. So anyone who bothers to look at the end to end application will see massive gaps in the security protocols. The "fix" is likely a decision between a sts/federation/proxy pattern, and a way to link policy to mechanism. WS-SecurityPolicy provides one such way to do specify the policy side. -gunnar _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
