RE: [Theodore Y. Ts'o: Re: Daemon Recovery]

[Paul Leach <paulle@microsoft.com>]

> ----------
> From: 	Ran Atkinson[SMTP:rja@inet.org]
> Sent: 	Friday, September 19, 1997 6:24 PM
> To: 	ipsec@tis.com
> Subject: 	Re: [Theodore Y. Ts'o: Re: Daemon Recovery] 
> 
> 
> 
> > You bring up a good point; in the case of user-based keying, life
> > becomes much more difficult.   I think most folks were assuming that
> the
> > keys in use were host (TCB) based, not user-based --- or at the very
> > least, unprivileged users would not have access to the keying
> material.
> 
> Unprivileged users ought not have access to keying material.  This
> ought
> to be noted very specifically somewhere in {ARCH, ESP/AH}.  Vaguely I
> think that this once lived in the Security Considerations text of the
> current RFCs, but I haven't verified that just now.  Unfortunately,
> Windows/DOS/MacOS do not have the concept of an unprivileged user
> [Sommerfeld].
> 
It is most important that unprivileged users don't have access to other
users' keying material -- on the above systems, which are single user,
that's still true.

Perhaps also worth noting is that with host-based keying, the identity
being trusted (in the absence of tamper-proof hardware) is the
administrator -- which in the case of the above operating systems, is
also the user. I.e, on those systems, nothing prevents the user from
moving the host's key to another host.

Finally, Windows NT does have a notion of unprivileged user (which I
mention solely because the reference to "Windows" above is potentially
ambiguous).

Paul

---

• Prev by Date: RE: Ordering of payloads
• Next by Date: Re: Comments on ipsec-arch-sec-01.txt
• Prev by thread: Re: [Theodore Y. Ts'o: Re: Daemon Recovery]
• Next by thread: draft-ipsec-cipher-generic.txt (was: draft-...cipher-*)
• Index(es):
  • Main
  • Thread