[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (name,priv) elements
At 01:39 PM 4/25/96 -0400, Bill Sommerfeld wrote:
> Whatever those ACLs are, they will consist of (name,priv) assignments in
> some form. Each of those assignments needs to be signed by someone with the
> authority to delegate the priv in question.
>
>This is only true if the ACL is not co-located with the object(s) it
>protects.
You might be right. However, I can think of some counter-examples:
An ACL for a file system could be co-located with it. However, I might have
root access to the file system but not be granted modify access to the ACL.
An ACL for access into a network would be located on a firewall -- not on
the eventual network machines to which access is being granted.
In some cases, I agree -- that if someone has broken in to modify the ACL
they have a chance to bypass the ACL controls -- but in other cases, that
isn't true. What worries me is that folks who push (name,key) certs seem to
assume that protection of the ACL is either trivial or unnecessary --
certainly not something to discuss.
Treating ACL elements as certificates [with certification chains, validity
fields, etc.] takes care of this sloppiness.
- Carl
+--------------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430 http://www.cybercash.com/ |
|2100 Reston Parkway PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091 Tel: (703) 620-4200 |
+--------------------------------------------------------------------------+