[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why identity based authorization is a bad idea.

To: Mark S Feldman <feldman@tis.com>
Subject: Re: Why identity based authorization is a bad idea.
From: frantz@netcom.com (Bill Frantz)
Date: Fri, 12 Apr 1996 17:38:35 -0700
Cc: Mark S Feldman <feldman@tis.com>, Carl Ellison <cme@cybercash.com>, spki@c2.org, balenson@tis.com

I wrote:
>I think the applicability of the Confused Deputy is in the example:  
>I, running on machine 1, want to invoke a program on machine 2 and 
>allow it to use a resource I have access to on machine 3.  That 
>program has privileges to write data on machine 4.   If that program 
>builds a certificate list of the combined privileges it has while 
>processing my request {Read/Write as if Bill from machine 3 || Write 
>on machine 4}, and I pass it a URL (or other reference) to machine 4, 
>then I can specify where it is to write on machine 4.
>
>I agree that this implementation is broken, but it is a common mistake.

Let me suggest how I think we should solve this problem.  For my specific
example, I will assume that the program running on machine 2 is a compiler.

When I call the compiler I create two certificates which say "The holder of
secret key 2 may read source from file foo.source on machine 3" and "The
holder of secret key 2 may write to file foo.output on machine 1".  These
certificates have a limited time of validity.  (Includes are handled
similarly.)  I sign these certificates with secret key 1 and send them,
along with my request to the program on machine 2.

Assume, for the sake of complexity, that the compiler subcontracts parsing
and code generation to machines 5 and 6 respectively.  It takes my
certificate for foo.source and uses it to make a subcontract certificate
allowing the holder of secret key 5 to read the source.  It sends the
subcontract certificate along with a certificate specifying the location
for the intermediate text to the parser on machine 5.

After performing similar actions to pass the intermediate text and
foo.output to the code generator on machine 6, the compiler uses the
certificate it holds allowing it to write to the accounting file on machine
4 to write an accounting record and signals machine 1 that it is done.

I suspect that this protocol could be optimized to allow one signing to
cover multiple certificates.

Regards - Bill

------------------------------------------------------------------------
Bill Frantz       | The CDA means  | Periwinkle  --  Computer Consulting
(408)356-8506     | lost jobs and  | 16345 Englewood Ave.
frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA

Prev by Date: SPKI requirments (was: SPKI RFC draft)
Next by Date: Re: SPKI requirments (was: SPKI RFC draft)
Prev by thread: Re: Why identity based authorization is a bad idea.
Next by thread: SPKI RFC draft
Index(es):
- Main
- Thread