[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Why identity based authorization is a bad idea.

At  1:09 PM 4/10/96 -0400, Mark S Feldman wrote:

>By removing certificates and the associated identification from the
>model, you place much more responsibility out of band on both the user
>and supplier of services.  In the end, most services require a mapping
>between a privilege and the user to whom that privilege is granted.
>Stripping such information out using your "tickets" means that the
>same information must be inserted and maintained elsewhere.  

There are a number of problems with blanket authorizations based on the
identity of a person of an other object.  The most obvious one is that it
allows Trojan horses.  A Trojan horse program is nothing more than a
program that abuses the authority of its caller.

Viruses propagate because they misuse the user's authority to write in
areas of the disk (e.g. the boot blocks or the /bin directory).

A considerably more complex problem is what Norm Hardy called the Confused
Deputy problem.  See:


User identification is properly used to give the user access to the initial
set of capabilities.  (Although in modern systems, you might substitute
physical possession of a private key.  I like a system based both on
possession and secret knowledge -- a password.)  When a user is providing
authority to a program, particularly an untrusted program, that authority
should be as circumscribed as possible.  (And, I might add, most programs
should be untrusted.)

For other information, see:

Regards - Bill

Bill Frantz       | The CDA means  | Periwinkle  --  Computer Consulting
(408)356-8506     | lost jobs and  | 16345 Englewood Ave.
frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA