[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clever delegation ??

At 9:39 PM -0800 4/2/97, Ron Rivest wrote:
>Bill Frantz says:
>	I am beginning to think I need a tutorial on how to
>	compose tags so no hostile cert holder can amplify the
>	authorizations given by the tag by clever delegation.
>The proposed algorithm for intersecting tags should ALWAYS produce a
>tag T for the result of reducing a chain that is not more powerful
>than any of the tags T1, ..., Tn of the chain.  This is because each
>tag represent a set of S-expressions (each of which denotes an authorization)
>and the tag represents a set containing a given S-expression S only if
>each of the Ti's represent a set containing S.
>That is not to say that one couldn't write an S-expression for a tag
>that transferred more authority than you intended.  But further
>sub-delegation can't increase the authority first delegated.

I think it depends on whether the items in the tag grant authority or
remove it.  Consider composing the tags (ftp /pub/ftp/foo) and (ftp
/pub/ftp/foo R/O).  I believe that the method you suggest would reduce this
to (ftp /pub/ftp/foo) which just might allow the holder to replace foo.

It is issues like this which need to be made clear so people don't shoot
themselves in the foot.

Regards - Bill

Bill Frantz       | I have taken a real job at | Periwinkle -- Consulting
(408)356-8506     | Electric Communities as a  | 16345 Englewood Ave.
frantz@netcom.com | capability security guru.  | Los Gatos, CA 95032, USA

Follow-Ups: References: