[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: epiphany

At  1:08 PM 7/13/96 -0400, Carl Ellison wrote:
>At 06:50 PM 7/12/96 -0700, Bill Frantz wrote:
>>Subject: Re: draft of SPKI certificate internet-draft
>>Back in the dark ages, it must have been the mid-1980s, I had a discussion
>>with someone from the NCSC about the mandatory requirements of the Orange
>>Book.  During that discussion I had an epiphany.  This person (and I wish I
>>could remember who it was) said, "Oh, we trust the user.  S/he is cleared. 
>>We just don't trust the software s/he is running not to be a Trojan Horse."
>> With that statement I completely understood the reason for the mandatory
>>security requirements.
>I had the same epiphany.
>This *does* explain the MAC requirement -- but it does something more
>central for me.
>If you negate that trust statement, I don't believe *any* access control
>lets you succeed, at least with current computers.  The flaw is not in MAC
>or lack of it but rather in the inability of a computer to know anything
>about the physical human at the keyboard or the other end of a TCP/IP
>connection.  Without MAC, you introduce more openings for violation of
>security -- but with MAC you haven't done anything to prevent Alice from
>giving her private key to her secretary Bob so that he can sign mail in her
>name, access her machine for her, ....

The important thing this epiphany did for me was indicate that it was not
technology's job to police the humans.  There were other, human centered,
systems which performed that function.  Technology's job was to police the
computer programs.  (Technology also has a role in helping programs
authenticate humans with things such as passwords, SecureID, and those
little "calculators" the NCSC sent to their users.)

As to Alice and Bob above*, if such delegation is permitted by the
policies, then Alice generates a delegation certificate for Bob and Bob
uses it to be "Bob acting for Alice".  If it is not permitted by the
policy, the Alice either, (a) gets the policy changed, (2) does her own
work, or (3) cheats and if she gets caught gets fired.  But the techniques
to detect (3) are not entirely technology based, although they may use
technological features such as audit trails.

* An interesting similar situation is the nuclear war codes which always
accompany the President.  How do we ensure that it is the President that
actually gave the order to release them, and not some aide acting alone.

This insight has important meaning for the delegation issue.  Given that
you don't have MAC, when you issue a certificate to a key, you have to have
some level of trust in the computer holding the secret key.  Depending on
your security requirements you may want to know these things about that

(1) The system doesn't run random software downloaded from BBSs or the net.
(2) The system runs only commercial software from major publishers.
(3) The system runs only systems and application software compiled from
source and reviewed by a trusted reviewer.
(4) The system has string internal firewalls which effectively isolate
access to the secret key.

Bill Frantz       | The Internet may fairly be | Periwinkle -- Consulting
(408)356-8506     | regarded as a never-ending | 16345 Englewood Ave.
frantz@netcom.com | worldwide conversation.    | Los Gatos, CA 95032, USA