[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

adding/subtracting permissions ??

The way I think about tags is the following:

	Each tag is either *-free (containing no *-forms), or not.

	Each *-free tag is supposed grant a specific permission.

	A tag containing *-forms stands for a SET of *-free forms, and
	so grants a SET of corresponding specific permissions.

If you try to have "negative authorization", then you can get into
trouble, independent of *-forms.  For example, following Tony's
example below, you might have a tag
	(exec-ok <program> <file>)
	(exec-ok P F)
which is intended to mean: "You have permission to run program
P as long as its input is not the file F."  Independent of *-forms, what is
it supposed mean if I have two certificates:
	(exec-ok P F)
	(exec-ok P F')
for two different files F and F'?  Clearly I can now run P on any
program I like! (To apply P to F', I use the first certificate, and to
apply it to F, I use the second.  For any other file, I can use either

I think the problem you are proposing have little to do with *-forms, and
arise from the "negative" nature of the authorization.  What does it mean
to have two certificates:
	(vacation-not-ok-on (* set Monday Tuesday))
	(vacation-not-ok-on (* set Monday Wednesday))
With these certificates, I can take a vacation on any day but Monday!
But the *-free certificates
	(vacation-not-ok-on Monday)
	(vacation-not-ok-on Tuesday)
	(vacation-not-ok-on Wednesday)
are also problematic: I can take a vacation any day I like!  The problems
arise from having multiple certificates (starred or not) that attempt
to take away privileges, rather than grant them.  

"Negative authorizations" should just not be used.  Each *-free form
should grant a specific (positive) authorization.  The *-forms just
provide a short-hand for granting multiple authorizations at once, but
don't really introduce any new issues.  

Ron Rivest

To: Bill Frantz <frantz@netcom.com>
From: azb@llnl.gov (Tony Bartoletti)
Subject: Re: Clever delegation ??
Cc: spki@c2.net

Bill Frantz wrote:
>I think that it is correct to say, if the parameter increases the
>privilege, then the combiner must do an intersection.  If the parameter
>reduces the privilege, as when the R/O parameter is added to limit the
>authorization to Read Only access, then the combiner needs to do an union.

If there were a way, given a tag with parameters formed of *-sets, to always
determine apriori that set-expansion grants greater, or lesser authority,
that would be, well, just swell.  But I am afraid this is an issue of how
the tag will be applied semantically.  Consider:

P1: (* set (day Monday Tuesday Wednesday))
P2: (* set (day Monday Tuesday))

P1 provides greater freedom than P2 if these are days you may take vacation.
P1 provides lesser freedom than P2 if these are days you may not take vacation.

Taking intersection or union depends upon knowing just what the tag "really
means".  I begin to wonder if each parameter of a tag should communicate its
role as a degree of restriction or of freedom.

____TONY____  (making trouble again.)