[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clever delegation ??

Bill Frantz wrote:
If you model the UNIX file system in a cert, (and borrowing heavily from
the above example), you might be tempted to generate certs that named a
particular file and then gave access rights to it (R, W, A, R A, R W, R W
X, etc.)  In this case, each of the parameters adds to the set of
authorized actions.  As Franco Papacella <franco@goldnet.ch> points out, if
the combiner does an intersection, we get the correct results.


I have thought about using SPKI certs as a replacement for Compartmented Mode 
Workstations (CMW) DAC and MAC access controls. If one wants a union rather than 
an intersection, isn't this where PolicyMaker should come into play? If you want 
to authorize RW access to a file, issue two certificates to PolicyMaker and get 
the union certificate as a result.

You could augment this approach with other certificates. For example, the 
subject might need to present a certificate of computer update training to gain 
access to a file.

Jim Rome