Summary: AuditPolicy audit_needed only returns OK if selector values passed in match All. the values set in policy. Doesn"t have ANY/ALL combinator flexibility of RequiredRights. Too rigid?

resolved, close issue

Summary: Section 6.6.1: Object selector type isn"t something that would be stored in policy. It would be better to have Object as a seperate argument rather than to call it a selector type.

same as issue 360, close

Summary: get_required_rights takes target objref as argument. The set_required_rights takes no such argument. Does spec address the correlation of required_rights to actual targets?

same as issue359, close

Summary: I do not think inheritance has been acounted for properly in the audit operation parameters.

resolved, close issue

Summary: Clarify which interface the RequiredRights apply to in a chain of derived interfaces. I missed that RequiredRights can be changed dynamically

clarify specification

Summary: SecurityContext::reclaim_message uses length of supplied token as IMPLICIT parameterindicating QOP which was applied to the supplied message. Carried differently in SECIOP protocol.

Security RTF 1.5 action 9 in ptc/98-11-02

Summary: get_security_names should be able to return the mutually authenticated "identity" (??) of an object. It should have option indicating whether caller wants all supported security names.

Security RTF 1.5 action 1 in ptc/98-11-02

Summary: Set methods of DAP have ExtensibleFamily and Rightslist arguments. Rights datacontains family values already? Description on p150/151 doesn"t mention rights_family arguments.

resolved, close issue

Summary: e have a SecurityMechandNameList get_security_names(in Object objref);
on SecurityLevel2::Current.

Since we have this capability, we should have a similar way of getting the
mechanisms and options.

Unfortunately, Security::MechandOptions struct only contains options
supported and does not have options required. The only place it is used is
for Vault::get_supported_mechs();

We should probably have another structure to handle the mechs on the
object reference. We will call this the mechanism data as not to confuse
it with MechandOptions struct.

:Current.

Summary: I have a problem discovering the semantics of using
Current.set_credentials(SecInvocationCredentials) as opposed to using an
InvocationCredentials Policy object on Current, or the target object
reference.

I believe we should deprecate set_credentials and get_credentials infavor
of InvocationCredentials and NonRepudiationCredentials Policy Objects.
This mechanism seems more in line with the the way we seem to be
traveling. So it will be consistent with the client invocation policy
model.

Or. we should put an explicit statement ordering the retrieval of
credentials at object reference creation.

1. InvocationCredentailsPolicy object off of Target object reference.
2. InvocationCredentialsPolicy object from the Current.
3. Current.get_credentials()

Close issue 2027: Principal Authenticator and Current

Summary: I think its a formatting problem rather than a type-o. The "Privilege
Attribute (family = 1)" heading looks like it was automagically copied
to the first row of the table when the table cross a page break.

Close issue 2199. Table 15-25 Attribute Values lists family

Summary: On p. 15-140 of security/98-10-01, the description of grant_rights
says the first parameter is Attribute. The first parameter should be
SecAttribute.

Close issue 2170.

Summary: Table 15-7 has the title "Domain Access Policy (with Required Rights
Mapping)". The "(with Required Rights Mapping)" part should be
removed since it doesn"t include the required rights.

Close issue 2169. Table description incorrect

Summary:
The Policy factory operations in SecurityLevel2::Current should be
deprecated and the ORB::create_policy operation should be used for
creating QOPPolicy, MechanismsPolicy, InvocationCredentialsPolicy
instead.

:Current should be

Summary: In 15.7.1.1, p.15-145, very last bullet:
SecureInvocationPolicy::get_delegation_mode should be
DelegationPolicy::get_delegation_mode.

:get_delegation_mode should be