[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: adding/subtracting permissions ??

Ron Rivest, rivest@theory.lcs.mit.edu, wrote:
> If you try to have "negative authorization", then you can get into
> trouble, independent of *-forms.  For example, following Tony's
> example below, you might have a tag
> 	(exec-ok <program> <file>)
> e.g.
> 	(exec-ok P F)
> which is intended to mean: "You have permission to run program
> P as long as its input is not the file F."  Independent of *-forms, what is
> it supposed mean if I have two certificates:
> 	(exec-ok P F)
> 	(exec-ok P F')
> for two different files F and F'?  Clearly I can now run P on any
> program I like! (To apply P to F', I use the first certificate, and to
> apply it to F, I use the second.  For any other file, I can use either
> certificate.)

I thought the rules we were discussing for tag merging were applied in
the context of delegation.  The original SPKI document discussed merging
with the assumption that the subject of the first cert was the issuer of
the second.  Then resulting cert was supposed to be the "intersection" of
the tags, which was not really defined.  The discussion for rules about
combining tags was being applied in that context, I thought.

In that case, if the first cert has an auth tag of (exec-ok P F) and the
second has (exec-ok P F') then I don't think there would be any good way
to merge them.  The intersection of these two tags would properly be null.

This is not the same as having the same signer issue both of these
authorizations, which I agree would cause problems.  The case we are
talking about is where the second auth is issued by a delagatee of the
first issuer.

> I think the problem you are proposing have little to do with *-forms, and
> arise from the "negative" nature of the authorization.  What does it mean
> to have two certificates:
> 	(vacation-not-ok-on (* set Monday Tuesday))
> 	(vacation-not-ok-on (* set Monday Wednesday))

If the first cert is (vacation-not-ok-on (* set Monday Tuesday)), and the
second in the delegation chain is (vacation-not-ok-on (* set Monday)), we
should not merge these, because the second is actually asserting more power
than was delegated it by the first.

I don't think negative authorizations by themselves are necessarily a
problem.  However they do cause trouble in the context of the proposed
merging algorithm, which was designed with positive authorizations
in mind.

Hal Finney