[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (name,priv) elements

At 01:39 PM 4/25/96 -0400, Bill Sommerfeld wrote:

>   Whatever those ACLs are, they will consist of (name,priv) assignments in
>   some form.  Each of those assignments needs to be signed by someone with the
>   authority to delegate the priv in question.  
>This is only true if the ACL is not co-located with the object(s) it

You might be right.  However, I can think of some counter-examples:

An ACL for a file system could be co-located with it.  However, I might have
root access to the file system but not be granted modify access to the ACL.

An ACL for access into a network would be located on a firewall -- not on
the eventual network machines to which access is being granted.

In some cases, I agree -- that if someone has broken in to modify the ACL
they have a chance to bypass the ACL controls -- but in other cases, that
isn't true.  What worries me is that folks who push (name,key) certs seem to
assume that protection of the ACL is either trivial or unnecessary --
certainly not something to discuss.

Treating ACL elements as certificates [with certification chains, validity
fields, etc.] takes care of this sloppiness.

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091              Tel: (703) 620-4200                         |