[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: photuris-06.txt



Catching up on IP Sec,

> From: "Theodore Ts'o" <tytso@MIT.EDU>
> Thus, using the term "Multi-Level Secure" in your document is extremely
> confusing, because this is not what is meant.

Actually, it means what it says.  I don't consider Unix, based on its
history, a secure multi-user operating system, and wanted to limit the
debate to systems with well-defined security using well-defined
terminology.  Waste of time arguing about how to partially secure
insecure operating systems.


> What you call "plain-old multi-user operating systems", by which I would
> assume mean systems like Windows NT and ITS, I would merely call them
> "single-user operating systems", or "insecure multi-user operating
> systems".
>
Fine.  I will change the wording to "secure multi-user operating systems
with mandatory access controls".


> Any secure multi-user system worth its salt must be able to protect its
> resources from hostile users, and protect one hostile user from being
> able to damage the resources controlled by another hostile user.
>
Have incorporated your text with Karn's as follows:

    Internet Security protects against threats that come from the
    external network, not from mutually hostile users of the nodes
    themselves. Any secure multi-user operating system MUST be able to
    protect its resources from hostile users, and protect one hostile
    user from damaging the resources controlled by another hostile user.

And in Notes:

    Successful use of user-oriented keying requires a significant level
    of operating system support. If the operating system itself is not
    secure, or there are no "levels" of security (that is, all users are
    authorized to the same access control or the access control is not
    mandatory), then there is no basis for separate user-oriented
    keying.

    Use of multi-user segregated exchanges likely requires added
    functionality in the transport API of the implementation operating
    system. Such a mechanism is outside the scope of this document.


> At the heart of this, I think we have a terminology problem; we can come
> up with different terms, but we really should avoid the use of
> Multi-Level Secure systems unless we mean a system which enforces
> non-discrentional access control.  There's no point in bucking 3 decades
> worth of usage.....
>
Wasn't trying to do that.  It is Sommerfeld who didn't like the fact
that it was inapplicable to his insecure operating system.

Bill.Simpson@um.cc.umich.edu
          Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2


Follow-Ups: