Stephen Downes

My limited experience with policy language (and here I assume it's the same thing) was with Amazon's S3 cloud access provisions; to make an S3 'bucket' publicly available (as I do for my images on OLDaily) you have to express this in (what I assume is) an Amazon-specific policy language. In any case, this is certainly my experience: "Policy languages can feel intimidating due to unfamiliar syntax, poor tooling, and the high stakes of getting access control wrong. But once understood, they simplify application logic and make security more reliable and maintainable." I never did hit the 'simplify' part. They just made something that should have been simple unreasonably hard. Anyhow, here is Phil Windley's explanation of why this is so.