[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: Delegate

"Phillip M. Hallam-Baker" <hallam@ai.mit.edu> writes:

> > Can you come up with more words about how the integer simplifies
> > auditing?  ...or other advantages the integer would have?
>  Basically give the minons less rope to hang you with. If you
> know that you have only permitted delegation to a depth of 3 
> you know that the number of phone calls you have to make is
> limited. If you allow unlimited depth delegation then in an
> audit type situation you could find youself debugging a 
> very very long chain of command.

The only problem with this model is that you don't necessarily know
how long an internal chain-of-command is.  This is similar to IP
subnetting.  For example, from outside MIT (which has net 18), there
is a single "network", so someone from the outside could say "well,
there is only one net-18 subnet, so I delegate with level one".  But
once you get past the router you find many /16 subnets.  Oops!  but
wait, some of those /16 nets get split up even further, into /24 or
even /28 networks!

Similar is true for authority delegation.  From the outside you don't
necessarily know how deep the chain will be.  Unless you have intimate
knowledge of the political base inside the "firewall", you won't
necessarily know how deep the chain will be a priori.  Just look at
the various lengths of manegerial chains within corporations.  My
chain, for example, puts me 5 hops away from the CEO.  But others'
chains are as long as 10 or 11 hops away.

So, how can you ask people to set cert-depths if they don't know how
deep those chains need to be?


Follow-Ups: References: