[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft of SPKI certificate internet-draft

To: "Brian M. Thomas" <bt0008@entropy.sbc.com>, bthomas@cdmnet.com, cme@cybercash.com
Subject: Re: draft of SPKI certificate internet-draft
From: frantz@netcom.com (Bill Frantz)
Date: Fri, 12 Jul 1996 18:50:19 -0700
Cc: spki@c2.org

At  4:37 PM 7/12/96 -0500, Brian M. Thomas wrote:
>> >> >Also, should the MAY-DELEGATE default be * instead of 0?  I'll just
>>suggest
>> >> >the change and then shut up :-).
>> >> 
>> >> :)  Of course, I believe it needs to be 0 :)
>> 
>> I think it has to be 0 by the principle of Least Privilege, applied loosely.
>> That is, the simplest thing to make should be the thing with the least
>> privilege.
>
>My point was that there is a difference between the default composition
>of a cert and the  value an unspecified field, which would affect
>performance, though negligibly.
>
>The real question is why Bill felt that * should be the default.

Truth in advertising.  We can deliver cryptographic security for the case
of full delegation.  If people realize when they provide access to some
principal (represented by a public/private key pair), that they are letting
that principal determine further access, then they have a clear idea of the
limits of the security system they are using.

If, on the other hand, we let them believe that when they give Alice access
with a NO-DELEGATE attribute, they are preventing Alice, or more likely a
Trojan horse running with Alice's authority, from providing the service to
Bob, then we are selling them security snake oil.

Back in the dark ages, it must have been the mid-1980s, I had a discussion
with someone from the NCSC about the mandatory requirements of the Orange
Book.  During that discussion I had an epiphany.  This person (and I wish I
could remember who it was) said, "Oh, we trust the user.  S/he is cleared. 
We just don't trust the software s/he is running not to be a Trojan Horse."
 With that statement I completely understood the reason for the mandatory
security requirements.  Unfortunately, enforcement of the NO-DELEGATE
attribute requires mandatory security features.  (i.e. A third party is
controlling information transfer between two principals.)  While I think it
may be  possible to enforce mandatory security in the Internet environment,
I haven't thought through the details.  (And I would like to find a client
to charge for the effort :-). )

-------------------------------------------------------------------------
Bill Frantz       | The Internet may fairly be | Periwinkle -- Consulting
(408)356-8506     | regarded as a never-ending | 16345 Englewood Ave.
frantz@netcom.com | worldwide conversation.    | Los Gatos, CA 95032, USA

Prev by Date: Re: *-CERT:
Next by Date: Re: *-CERT:
Prev by thread: Re: draft of SPKI certificate internet-draft
Next by thread: SIGNATURE in spki-960705.txt
Index(es):
- Main
- Thread