[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Clever delegation ??
Bill Frantz wrote:
If you model the UNIX file system in a cert, (and borrowing heavily from
the above example), you might be tempted to generate certs that named a
particular file and then gave access rights to it (R, W, A, R A, R W, R W
X, etc.) In this case, each of the parameters adds to the set of
authorized actions. As Franco Papacella <franco@goldnet.ch> points out, if
the combiner does an intersection, we get the correct results.
Bill,
I have thought about using SPKI certs as a replacement for Compartmented Mode
Workstations (CMW) DAC and MAC access controls. If one wants a union rather than
an intersection, isn't this where PolicyMaker should come into play? If you want
to authorize RW access to a file, issue two certificates to PolicyMaker and get
the union certificate as a result.
You could augment this approach with other certificates. For example, the
subject might need to present a certificate of computer update training to gain
access to a file.
Jim Rome
ORNL