[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: delegation conflict, background

At 11:58 PM 6/28/96 -0700, Kent Crispin wrote:
>Hmm.  I guess I think that the usefulness "delegatable" bit, if I may
>use the term, should be evaluated on a per service or permission
>basis.  There are many realms where I agree, unrestrained delegation
>might be meaningful and even useful.  But I suspect there are realms
>where unrestrained delegation would simply not be a good idea. 

In cases where users do not have complete control over the system they run
I might agree with you.

>I am not convinced by your argument that a user can always get around
>controls in a certificate by simply acting as someone else's agent. 
>In theory I could make a living buying booze for high school students
>-- I have the permission, they don't, and I can't delegate my
>permission to them.  I can, however, just take their money, extract my
>commission, and buy the booze for them.  In practice I would not be
>too inclined to do this.  I would be even less inclined if every
>transaction I made was recorded in a database somewhere... 

Since I seem to be a lone voice on this subject, I think anything that SPKI
recommends will give you the controls you want.  However, lets assume for a
moment a certificate you don't want your users to delegate.  Would you
rather have them delegate it under the table, and have to detect the fact,
or have them delegate using standard facilities, and be able to see to
which key they had delegated it.

A slightly more realistic scenario.  Assume Alice gives Bob a certificate
which allows him to FTP a particular file from Alice's server to wherever
his private key resides.  And, of course, she decides not to allow him to
delegate that certificate.  Now lets assume he wants to do some serious
number crunching on the data in that file.  His Mac Si (or PC/386 if you
prefer) doesn't have the horsepower for the crunching, so he arranges to
get some time on the corporate mini-supercomputer.

Now I see Bob has 3 choices:  (1) He can send his private key to the
mini-supercomputer so it can act as him.  This course has a significant
risk of compromising the secret key.  (2) He can FTP the file to his PC
(assuming it will fit) and issue a certificate allowing the
mini-supercomputer to access his copy.  (3) He can beg Alice for
certificate allowing the mini-supercomputer to access the file. (But we all
know how responsive sysadmins can be.)

If the certificate allows delegation, Bob delegates it.  Alice sees the
delegation on her audit logs, and either notices that the
mini-supercomputer is in the firewall and ignores the delegation, or calls
Bob into her office and asks him, "What do you think you are doing."

What Alice may have wanted was, "You can delegate this certificate to any
machine on the corporate campus."  But we have not given her the ability to
say that.

Regards - Bill

Bill Frantz       | The Internet may fairly be | Periwinkle -- Consulting
(408)356-8506     | regarded as a never-ending | 16345 Englewood Ave.
frantz@netcom.com | worldwide conversation.    | Los Gatos, CA 95032, USA