Re: [Gnue-dev] New Architecture Drawing based on Whitepaper.

[Stanley A. Klein]

At 06:51 AM 1/17/2003 -0500, Daniel E Baumann <address@hidden>
wrote:

>
>If the mapping is laid out then you should be able to bypass the
>server altogether if you want. I don't see how this effects
>'assurance', it is a side effect of wanting to be able to develop
>business applications using objects. There is a slight impedance
>mismatch, but there are several ways to go about the mapping. At any
>rate, I will have many here that will and do disagree with me. I just
>have to live with that.


Dan -

Let me explain the importance of the mapping to assurance.  First,
assurance is important if the quality of enforcement of rules in the
application is ever likely to need to be justified to a hard-nosed auditor,
a worried Board of Directors, a regulatory body, a judge, or a security
accreditation board (used in some government agencies).

GNUe itself is not likely to be able to provide the quality of enforcement
(i.e., the assurance) those people are likely to be looking for.  In those
cases, the user will need to be able to depend on the operating system
and/or the database system to provide suitable enforcement.  

The challenge for GNUe is to ensure that it is feasible to gain the
increased level of assurance from the operating system and/or the database,
and to provide appropriate documentation to enable the user to figure out
how to do it.

A part of that feasibility with respect to Appserver is the ability of the
user to know exactly what data items in Appserver correspond to exactly
what data items in the application.  Then the user can set up the operating
system and/or the database to enforce the rules for those items independent
of the controls that GNUe itself provides.  Thus, if the GNUe protections
get bypassed (e.g., by a more knowledgeable or motivated attacker) the
(higher assurance) operating system or database can act to enforce the
protection.  That's what the mapping issue is all about.


Stan Klein