I have reached the point in my PhD where I can no longer pretend that I'm not in some small way doing security policy for the web. The problem with reaching this point is that, because this is a PhD, I must now be an EXPERT IN ALL THINGS SECURITY POLICY.
But you know what? I *hate* policy languages. You take this really complex problem, try to simplify it into a policy language, and then you try to generalize to all other problems vaguely within the same sphere... resulting in a policy language which is now a billion times worse than the original very complex problem. And now in order to set policy correctly, you need someone who understands the complex problem and the complex policy language, some of which is likely entirely irrelevant. And some of the time, you can't even ask for help because that would reveal something about your security policy, and we can't have that.
Obviously, I know enough about security policy languages to have formed this opinion. But as you can tell from that mini-rant, I have largely had experience with overly complex policy languages. And now, I need to know about more simple policy languages.
So, anyone want to tell me about how simple and lovely your policy language is? Or even how you have this nice simple subset of policy language that's usable and full of puppy dogs?
Oh yeah, it's going to be a long week.