[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding/subtracting permissions

> This does not work well though if, in the process of delegation, the
> two tags can be separated.  If the cert holder can delegate just item
> (1) to another key he owns, then the intersection algorithm could strip
> off item (2) and make it like the original issuer just asserted (1),
> which was not his intention.

The "bad breath" attribution, if we consider it as a negative, is "does
not have permission to be considered as having nice breath".  If the
user makes a request to be considered as having nice breath, he will be
denied, because the original grantor did not grant that.  As I
mentioned before, we can only grant permissions, and only those that we

> So, one way to resolve this is to not allow multiple auth tags in a cert.
> However with the (*) notation we are back to having multiple tags, since
> the (*) is equivalent to a set of tags.  If we take Ron's example:
>         (vacation-not-ok-on (* set Monday Tuesday))
> I am puzzled now about what it really means.  As I understand the * notation,
> this is defined to be equivalent to:
>         (vacation-not-ok-on Monday)
>         (vacation-not-ok-on Tuesday)
> But if these tags are considered independently then as Ron described this
> allows vacation any day of the week.

I am having a hard time expressing this.  The negative attributions are
only to be had by omitting them from an enumeration of the positive ones.
Ron's example says, effectively, vacation can be taken on any day but Monday.
The second says vacation can be taken on any day but Tuesday.  In the context
of the first one, "any day but Tuesday" does not include Monday, because it
has not been granted.  I believe the logic has to be turned into a logic of
granting, rather than removing, and that which is not explicitly granted is

The problem is that making a negative statement ("anything but") does
not enumerate the set of permitted attributes (the "anything"), which
is the reason that I argue that if a set is not explicitly enumerable,
a custom program must do the job, and yes, as Ron says, the program
must be authorized by the original/final grantor.

I hope this makes it clearer.


Brian Thomas, CISSP - Distributed Systems Architect  bt0008@entropy.sbc.com
Southwestern Bell                                    bthomas@primary.net
One Bell Center,  Room 34G3                          Tel: 314 235 3141
St. Louis, MO 63101                                  Fax: 314 235 0162