All three presented metapolicy concepts stick more or less exactly to the meaning of meta, expressing that metapolicies are policies about policies. Each concept was introduced for solving a special problem or supporting a specific area of interest. This is the result of using policies in very different contexts and for various purposes. As a result of this, each concept is very customised according to the context of the policies investigated.
Although the specification policies about policies implies a huge area of valid metapolicies, some metapolicies may be considered as policy templates. Especially the Policy Description Metapolicy by Hosmer includes much information which can be seen as part of a policy template as described in [Wies 95]. Other information like the Requested Signer may depend on every particular policy. Therefore, specifying this information in a Policy Description Metapolicy for all policies may be not such a good solution. This will ensue many exceptions.
Metapolicies by Hosmer only respect security concerns with organisational aspects necessary to achieve a certain level of security. This includes metapolicies for the automatic processing of security policies, but other aspects have not been investigated.
Making implicit information explicit also helps to clarify things, but Hosmer creates ambiguities with Subpolicy Interaction Metapolicy and Relationship Metapolicy. It is not clear which relationship concerns are described in the one or the other metapolicy type. Furthermore, describing the same aspects redundantly in several independent metapolicies does not help to clarify things. Another example is the expiration date which is specified in three different kinds of metapolicies.
Kühnhauser introduces the Conflict Matrix to be able to take a decision in policy conflicts of policies of different domains. This mechanism does not seem to be adequate for handling conflicts in such a complex scenario. The context during the enforcement of the policies is not considered. This has also to be taken into account as the following scenario makes clear: A policy having a special domain as subject will be enforced in case of two conflicting policies. It is also obvious that the case where several conflicting policies have the same subject (i.e., more policies are in conflict) must be handled differently. A more flexible approach is therefore necessary.
Using analogous arguments it can be shown that the Cooperation Matrix is also not sufficient.
In contrast, metapolicies at the Imperial College are used to specify the conflicts. They are additional constraints applied during the execution of an application. For this reason, the targets are not necessarily policies.
All metapolicy concepts have in common that they are seen in the context of conflicts. It also seems to be clear that fact that using policies for various scenarios and reasons implies additional information and control.
In chapter ![[*]](http://www.nm.informatik.uni-muenchen.de/common/icons/latex2html-97.1/cross_ref_motif.gif){kind=icon}
, the concept of metapolicies is investigated in
more detail, and their context of application is enlarged.