[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: FW: Delegate

At 12:05 PM -0800 12/19/96, Phillip M. Hallam-Baker wrote:
>That is precisely why I would wish as a manager at the top
>of a corporation to stop unbounded delegation. Each link
>in the chain makes it harder to discover what is going on.
>As a security officer I would consider it very important to
>be able to control the number of phone calls required to
>discover what had happened. The depth of the tree has a major
>effect on the search time since each link may potentially
>involve contacting someone who is off sick, on holiday or
>absconded with the money.

Phill - Just remember that when you issue a cert outside your area of
authority (e.g. a different corporation), you lose much of your ability to
avoid people delegating by sharing their secret keys or building proxies.
If you have no way to punish these people, then your "don't delegate" count
becomes a, "please don't pass this cert around too far" request.

Because these routes exist where a user who has a cert can unilaterally
delegate it regardless of what the cert says about delegation, it is very
important that the draft not indicate that this feature is providing the
same level of security as the rest of the cert structure provides.

I agree that a security officer may want to limit delegation.  However, the
technology won't let him/her enforce that limit.  The enforcement must be
performed by making it technically inconvenient and by social means.

Bill Frantz       | I still read when I should | Periwinkle -- Consulting
(408)356-8506     | be doing something else.   | 16345 Englewood Ave.
frantz@netcom.com | It's a vice. - R. Heinlein | Los Gatos, CA 95032, USA