[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


At 06:50 PM 7/12/96 -0700, Bill Frantz wrote:
>Subject: Re: draft of SPKI certificate internet-draft

>Back in the dark ages, it must have been the mid-1980s, I had a discussion
>with someone from the NCSC about the mandatory requirements of the Orange
>Book.  During that discussion I had an epiphany.  This person (and I wish I
>could remember who it was) said, "Oh, we trust the user.  S/he is cleared. 
>We just don't trust the software s/he is running not to be a Trojan Horse."
> With that statement I completely understood the reason for the mandatory
>security requirements.

I had the same epiphany.

This *does* explain the MAC requirement -- but it does something more
central for me.

If you negate that trust statement, I don't believe *any* access control
lets you succeed, at least with current computers.  The flaw is not in MAC
or lack of it but rather in the inability of a computer to know anything
about the physical human at the keyboard or the other end of a TCP/IP
connection.  Without MAC, you introduce more openings for violation of
security -- but with MAC you haven't done anything to prevent Alice from
giving her private key to her secretary Bob so that he can sign mail in her
name, access her machine for her, ....

As long as we humans remain concerned about the power to pull the plug on
these computers (generally to remain in total control over them), it is
unlikely the computer will ever be able to strongly verify the DNA of the
human user with each key press and potentially deny service based on those
test results.

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                              http://www.cybercash.com/    |
|207 Grindall Street           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103       T:(410) 727-4288     F:(410)727-4293        |