[Zope3-dev] Certification: Supporting "Residual Information Protection" in Zope 3

Jim Fulton jim at zope.com
Fri Dec 16 08:02:39 EST 2005


Christian Theune wrote:
> Hi,
> 
> Am Freitag, den 16.12.2005, 07:49 -0500 schrieb Jim Fulton:
> 
>>Christian Theune wrote:
>>
>>>I think if we can guarantee never to reuse a user id, provide a tool for
>>>doing RIP and we do not provide undo we are fine.
>>
>>Only if we manage the user ids.  We often get principal ids from outside
>>sources.  In fact, we usually do this in production.  In the case when
>>we're using an external principal soure, we also don't autmatically
>>know when the principal is removed.
>>
>>Also, current principal-management facilities in Zope 3 allow managers to
>>pick ids.  We probably would need to curtail this or at least prevent
>>reuse.
>>
>>It's probably not wise to rely on this.
> 
> 
> That sounds like for a usable certified system RIP might be out of
> scope? Hmm. Hope not.

There could be a UI for removing principal grants that a manager
could use to remove grants after a principal has been removed
externally.

>>Right. The security policy is part of the authorization system.
>>The authorization system, or at least a CC-complient authorization
>>system should probably grow a principal-removal API.
> 
> 
> Well. If that would be an authorization system that would not be helpful
> in everyday business, then growing one only for CC would be beside the
> point of the certification to assure people that the system they use on
> a daily basis matches their security expectations.

I'm not conviced that this is an every-day requirement.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org


More information about the Zope3-dev mailing list