[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: delegation conflict, background

Bill Frantz
> At  4:53 PM 6/28/96 -0700, Kent Crispin wrote:
> >Bill, I sent a letter to Carl about this but didn't send it to the
> >list.  Basically, isn't delegation just another right that can be
> >denied or allowed? That is, I as controller of some permission or
> >resource, can give you a certificate or whatever that 1) allows you
> >access and the right to delegate access, or 2) doesn't allow access
> >but allows delegation, or 3) allows access but not delegation.  #2 is 
> >sort of meaningless, because you could always turn around ang grant 
> >yourself a certificate that allowed access.  But the point is that 
> >delegation is just another permission.
> It appears that way (and you are certainly right about #2).  However, there
> are simple ways a user can delegate even a no-delegate certificate.  The
> ones that always work are (1) share the secret key, and (2) build a proxy
> for the resource.
> Putting the right in, and obeying it in the "normal" processes is a simple
> matter of programming.  The problem is that there are ways around it.  If
> one decides to use no-delegate certificates, one must determine if the
> incentive to "cheat" so created is large enough to overcome the usefulness
> of the no-delegate certificate.
> My contention is that we will all be better off if everyone can delegate,
> but the final server can audit who we delegated to (via the public keys in
> the delegation certificates).

Hmm.  I guess I think that the usefulness "delegatable" bit, if I may
use the term, should be evaluated on a per service or permission
basis.  There are many realms where I agree, unrestrained delegation
might be meaningful and even useful.  But I suspect there are realms
where unrestrained delegation would simply not be a good idea. 

I am not convinced by your argument that a user can always get around
controls in a certificate by simply acting as someone else's agent. 
In theory I could make a living buying booze for high school students
-- I have the permission, they don't, and I can't delegate my
permission to them.  I can, however, just take their money, extract my
commission, and buy the booze for them.  In practice I would not be
too inclined to do this.  I would be even less inclined if every
transaction I made was recorded in a database somewhere... 

> I know this twists around the normal view, but when you have complete
> control of your machine, you can do things that are much easier to prevent
> when you only have limited facilities in a traditional OS.
> Regards - Bill

Kent Crispin				"No reason to get excited",
kent@songbird.com			the thief he kindly spoke...