[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Other *-forms for dates and times, and love

At 5:09 AM -0700 4/9/97, Brian M. Thomas wrote:
>> However, if the verifier allows me to read your private mail, there is
>> nothing which prevents me from spamming it across the universe, or more
>> likely, forwarding copies to badguys.org.
>The point being, of course, that once you have the information, it's no
>longer necessary to read my files, because it's now in your files, so
>that no permission scheme I implement can control it.
>This will always be the upper bound on all security schemes:  not the
>trust mechanism, but the appropriateness of the trust-granting choices,
>which is not at all a technical matter.  The schemes we implement are
>targeted at enforcing our choices, not proving that they are wise ones.

This is true if the recipient is a human being, because s/he can always
memorize that data and transmit it outside of any confinement you provide.
If the recipient is a program, the outlook is somewhat brighter.  The A and
B levels of the NCSC security model require what are called mandatory
access controls.  These allow an external actor, typically an
administrator, to control what programs can do with what they process.

I believe you can use SPKI certificates to assure that remote computers
enforce the mandatory access rules, and therefor control where those
programs can send the data.  It is an interesting application of
certificates.  However, it requires control programs which are capable of
encapsulating the programs they run.

Bill Frantz       | God could make the world   | Periwinkle -- Consulting
(408)356-8506     | in six days because he did | 16345 Englewood Ave.
frantz@netcom.com | not have an installed base.| Los Gatos, CA 95032, USA

Follow-Ups: References: