You are viewing ostraya

July 2009   01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
me2

Security policy

Posted on 2009.04.22 at 12:44
I have reached the point in my PhD where I can no longer pretend that I'm not in some small way doing security policy for the web. The problem with reaching this point is that, because this is a PhD, I must now be an EXPERT IN ALL THINGS SECURITY POLICY.

But you know what? I *hate* policy languages. You take this really complex problem, try to simplify it into a policy language, and then you try to generalize to all other problems vaguely within the same sphere... resulting in a policy language which is now a billion times worse than the original very complex problem. And now in order to set policy correctly, you need someone who understands the complex problem and the complex policy language, some of which is likely entirely irrelevant. And some of the time, you can't even ask for help because that would reveal something about your security policy, and we can't have that.

Obviously, I know enough about security policy languages to have formed this opinion. But as you can tell from that mini-rant, I have largely had experience with overly complex policy languages. And now, I need to know about more simple policy languages.

So, anyone want to tell me about how simple and lovely your policy language is? Or even how you have this nice simple subset of policy language that's usable and full of puppy dogs?

Oh yeah, it's going to be a long week.


Comments:


(Anonymous) at 2009-04-22 23:03 (UTC) (Link)
I would like to pet the puppy dogs in said language.

Asad.
Simon Law
sfllaw at 2009-04-23 01:00 (UTC) (Link)
I wonder when a Gödel will show up to ruin security researchers’ lives?
Previous Entry  Next Entry