[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Why identity based authorization is a bad idea.
At 1:09 PM 4/10/96 -0400, Mark S Feldman wrote:
>By removing certificates and the associated identification from the
>model, you place much more responsibility out of band on both the user
>and supplier of services. In the end, most services require a mapping
>between a privilege and the user to whom that privilege is granted.
>Stripping such information out using your "tickets" means that the
>same information must be inserted and maintained elsewhere.
There are a number of problems with blanket authorizations based on the
identity of a person of an other object. The most obvious one is that it
allows Trojan horses. A Trojan horse program is nothing more than a
program that abuses the authority of its caller.
Viruses propagate because they misuse the user's authority to write in
areas of the disk (e.g. the boot blocks or the /bin directory).
A considerably more complex problem is what Norm Hardy called the Confused
Deputy problem. See:
http://www.cis.upenn.edu/~shap/KeyKOS/ConfusedDeputy.html
User identification is properly used to give the user access to the initial
set of capabilities. (Although in modern systems, you might substitute
physical possession of a private key. I like a system based both on
possession and secret knowledge -- a password.) When a user is providing
authority to a program, particularly an untrusted program, that authority
should be as circumscribed as possible. (And, I might add, most programs
should be untrusted.)
For other information, see:
http://www.cis.upenn.edu/~shap/KeyKOS/Confinement.html
http://www.cis.upenn.edu/~shap/KeyKOS/Security.html
http://www.cis.upenn.edu/~shap/KeyKOS/Wells.html
Regards - Bill
------------------------------------------------------------------------
Bill Frantz | The CDA means | Periwinkle -- Computer Consulting
(408)356-8506 | lost jobs and | 16345 Englewood Ave.
frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA
Follow-Ups: