[Zope3-checkins] SVN: Zope3/trunk/doc/security/SecurityTarget.txt added some security objectiv rationales

Christian Zagrodnick cz at gocept.com
Mon Apr 18 09:47:51 EDT 2005


Log message for revision 30023:
  added some security objectiv rationales
  
  I'm not quite sure about them though.. we'll discuss that.
  

Changed:
  U   Zope3/trunk/doc/security/SecurityTarget.txt

-=-
Modified: Zope3/trunk/doc/security/SecurityTarget.txt
===================================================================
--- Zope3/trunk/doc/security/SecurityTarget.txt	2005-04-18 13:47:37 UTC (rev 30022)
+++ Zope3/trunk/doc/security/SecurityTarget.txt	2005-04-18 13:47:51 UTC (rev 30023)
@@ -1259,26 +1259,41 @@
 
 O.IA
     This security objective is necessary to counter the threat T.IA
-    because it requires that users must be accuratly identified and
+    because it requires that users must be accurately identified and
     authenticated or incorporate the anonymous principal.
 
 O.Delegation
     
+    This security objective is necessary to counter the threat T.Perm
+    because a user must only be able to delegate the permissions he
+    is allowed to delegate. It must not be possible for him to gain
+    any extra permissions.
 
+
 O.Audit
+    This security objective is necessary to counter the threat T.AuditFake
+    because it loggs security relevant events and thus supports an 
+    administrator in finding those events.
 
 O.Protect
+    XXX
 
+O.Access
+    This security objective is necessary to counter the threat T.Operation
+    because it prevents performing operations on an object without haveing the
+    correct permission.
+
+
 Table: Mapping of Threats to Security Objectives
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
                     T.IA    T.Perm  T.Operation T.AuditFake T.Import    T.RIP T.Transaction T.Undo    T.USB T.Timestamps    T.Trustedpath   T.Host
 
     O.IA            X
-    O.Delegation
-    O.Audit
+    O.Delegation             X
+    O.Audit                                          X                                    
     O.Protect                                           
-    O.Access
+    O.Access                        X
     O.Integrity
     O.Attributes
     O.ManageRisk



More information about the Zope3-Checkins mailing list