Re: "user" and "network layer" security mechanisms.

[Bill Sommerfeld <sommerfeld@apollo.hp.com>]

> And what do you do with third party streams multiplexers and/or SMP?
> Trying to carry around extra credentials, either as an extension to the
> credentials packet or as a separate structure pointer to by the credentials
> packet falls apart in this scenario, I do think.

I plead ignorance to the fine implementation details of STREAMS --
there may well need to be an API bump to pass the SA information
through.

At the worst case, third-party STREAMS modules would lose SA info (and
thus wouldn't be able to play nice with user-oriented keying) until
they had been tweaked for the new regime.

> As for using the credentials which were effective at open time, this is
> fine for standard Unix security policies, but as soon as you attempt to
> deal with the more common current threats such as viruses, administrative
> threats, internet access to systems with organizational confidential data,
> then those policies are woefully insufficient, and some current credentials
> are necessary.

Probably correct, but completely irrelevant to the discussion; the
distributed filesystem client can use the ambient credentials as well
as the open-time creds to choose the SA to use if it really is
relevant..

						- Bill

---

References:

• Re: "user" and "network layer" security mechanisms.
• From: Jon Spencer <spencerj@dg-rtp.dg.com>

---

• Prev by Date: Re: "user" and "network layer", continuation and reply.
• Next by Date: Re: "user" and "network layer" security mechanisms.
• Prev by thread: Re: "user" and "network layer" security mechanisms.
• Next by thread: Re: "user" and "network layer" security mechanisms.
• Index(es):
  • Main
  • Thread