IBM Mainframe Discussion List <IBM-MAIN@BAMA.UA.EDU> wrote on 07/14/2008 02:52:12 PM: > Indeed. Though in fairness, it must be pointed out that not every use > of user key CSA is a security or integrity exposure. Distinguishing > the many cases that are from those that are not is so difficult, > though, that disallowing it by default is certainly the right thing to > do.
The only use I have ever seen that was not an exposure was a VSMLIST testcase which obtained user key CSA, and then verified that VSMLIST correctly described the storage. The reason that it was not an exposure was that the testcase did not actually access the storage. It is, however, very common for product developers to think (erroneously) that their use of user key CSA is not an exposure. Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html