[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clever delegation ??

To: frantz@netcom.com
Subject: Re: Clever delegation ??
From: jar@ornl.gov
Date: Mon, 07 Apr 1997 09:20:04 -0500 (EST)
Cc: spki@c2.net
Sender: owner-spki@c2.net

Bill Frantz wrote:
If you model the UNIX file system in a cert, (and borrowing heavily from
the above example), you might be tempted to generate certs that named a
particular file and then gave access rights to it (R, W, A, R A, R W, R W
X, etc.)  In this case, each of the parameters adds to the set of
authorized actions.  As Franco Papacella <franco@goldnet.ch> points out, if
the combiner does an intersection, we get the correct results.

Bill, 

I have thought about using SPKI certs as a replacement for Compartmented Mode 
Workstations (CMW) DAC and MAC access controls. If one wants a union rather than 
an intersection, isn't this where PolicyMaker should come into play? If you want 
to authorize RW access to a file, issue two certificates to PolicyMaker and get 
the union certificate as a result.

You could augment this approach with other certificates. For example, the 
subject might need to present a certificate of computer update training to gain 
access to a file.

Jim Rome
ORNL

Prev by Date: Re: Clever delegation ??
Next by Date: Re: Clever delegation ??
Prev by thread: Re: Tags removing permissions
Next by thread: Re: Clever delegation ??
Index(es):
- Main
- Thread