[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
naming and terminology
Folks,
As co-chair, my understanding of consensus is roughly what Ted
T'so described -- namely the "mutually suspicious users" problem is
one that MUST be addressed in pass 1. I do NOT think this is hard to
do -- if one simply supports PGP keys (which name users not systems)
in Photuris and has the ability to pass the name string between the
two parties to the Photuris exchange the basic requirement is met. I
believe there is consensus that support for this MUST be implemented
on multi-user systems. Bill and Phil, you should take this as WG
chair direction to edit your document accordingly so that the document
conforms with WG consensus.
Secondly, Bill Simpson is flat out wrong in the way he is
using "mandatory access control", "multi-level secure", and similar
terms. The revised note from Ted T'so is correct in use of language.
Phrasing such as "multi-user systems having discretionary access
controls" is OK and technically correct. Phrasing such as "secure
multi-user systems" or "multi-level secure multi-user systems" or "MLS
systems" is not correct. Bill Simpson has telephoned me to talk about
this recently. Perhaps I've educated him on this matter of language
(not sure), but I'm not sure. Again, the chair directs that the language
of the draft conform to standard usage in this area and that we defer
the MLS cases for the base draft for the present. Having MLS things
in the extensions draft is fine and reasonable for the present.
Phil is being reasonable in trying to avoid MLS-specific
issues at the moment. I disagree strongly with Phil that the
commercial sector doesn't care about the "mutually suspicious users"
problem on their mainstream OSs (e.g. VMS, UNIX, MPE). The "mutually
suspicious users" problem is COMMON in the commercial sector. It was
absolutely an issue when I worked in commercial real-time controls for
a GE subsidiary in the past, to give a concrete example. Bob
Moscowitz has kindly provided another example of real systems having
mutually suspicious users. This is really a COMMERCIAL problem, not a
military unique problem and needs to be addressed on the first pass.
Ran
rja@cs.nrl.navy.mil
PS 1: For those of you who aren't familiar with the
conventional language in the computer security/network security world,
here are some simplified term definitions (better definitions are
available elsewhere):
Multi-level Secure (MLS): Describes a system (e.g. computer, router)
that is trusted to keep users and objects at
different sensitivity levels (e.g. Unclassified,
Secret) separate where it is believed the system
is not subvertible by any unprivileged process or
user. These are typically used in military
environments.
Discretionary Access Controls (DAC): Access controls on an object
(e.g. file) that are at the discretion of the owner
of that object (e.g. file). This includes MOST
commercial operating systems. DOS and Windows
and MacOS are examples of systems that lack
DAC.
Mandatory Access Controls: Access controls on an object that are NOT
at the discretion of the owner of that object.
For example, on an MLS system no user can give
an "unclassified" user access to a "Top Secret" file,
even if the user owns the file in question.
PS2: Each of the IPsec chairs are (separately and purely by coincidence)
in the process of changing jobs just now. This means that our
electronic presence is not entirely dependable temporarily. New
email addresses will be posted to the list once we have them working.
Mail to the old email addresses might or might not work.
Follow-Ups: