[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: delegation conflict, background
Bill Frantz
>
> At 4:53 PM 6/28/96 -0700, Kent Crispin wrote:
> >Bill, I sent a letter to Carl about this but didn't send it to the
> >list. Basically, isn't delegation just another right that can be
> >denied or allowed? That is, I as controller of some permission or
> >resource, can give you a certificate or whatever that 1) allows you
> >access and the right to delegate access, or 2) doesn't allow access
> >but allows delegation, or 3) allows access but not delegation. #2 is
> >sort of meaningless, because you could always turn around ang grant
> >yourself a certificate that allowed access. But the point is that
> >delegation is just another permission.
>
> It appears that way (and you are certainly right about #2). However, there
> are simple ways a user can delegate even a no-delegate certificate. The
> ones that always work are (1) share the secret key, and (2) build a proxy
> for the resource.
>
> Putting the right in, and obeying it in the "normal" processes is a simple
> matter of programming. The problem is that there are ways around it. If
> one decides to use no-delegate certificates, one must determine if the
> incentive to "cheat" so created is large enough to overcome the usefulness
> of the no-delegate certificate.
>
> My contention is that we will all be better off if everyone can delegate,
> but the final server can audit who we delegated to (via the public keys in
> the delegation certificates).
Hmm. I guess I think that the usefulness "delegatable" bit, if I may
use the term, should be evaluated on a per service or permission
basis. There are many realms where I agree, unrestrained delegation
might be meaningful and even useful. But I suspect there are realms
where unrestrained delegation would simply not be a good idea.
I am not convinced by your argument that a user can always get around
controls in a certificate by simply acting as someone else's agent.
In theory I could make a living buying booze for high school students
-- I have the permission, they don't, and I can't delegate my
permission to them. I can, however, just take their money, extract my
commission, and buy the booze for them. In practice I would not be
too inclined to do this. I would be even less inclined if every
transaction I made was recorded in a database somewhere...
> I know this twists around the normal view, but when you have complete
> control of your machine, you can do things that are much easier to prevent
> when you only have limited facilities in a traditional OS.
>
> Regards - Bill
>
--
Kent Crispin "No reason to get excited",
kent@songbird.com the thief he kindly spoke...