[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Java programs, etc.

At 03:06 PM 4/15/97 +0200, Bryce wrote:
>Hm.  I can issue a cert authorizing Alice to read and write in my 
>"/tmp/foo" directory, and then later I can issue another one 
>authorizing Alice to read and write my "/tmp/bar" directory.
>Alice is going to present these certificates at my firewall,
>which is going to take them, inspect them, generate similar
>certificates signed by itself, and then forward her WebNFS packets
>along with the new certificates to my WebNFS server.
>Now, the firewall _knows_ that anyone who is allowed to read
>and write "/tmp/foo" and "/tmp/bar" is also allowed to read and
>write "/tmp" itself.  This is just my own personal policy.
>I have given the firewall instructions to compile certificates like
>the ones Alice has into a single certificate, issued by the 
>firewall, stating that Alice can read and write in the "/tmp" 
>Thus, the firewall is going to, if not "augment", then at least
>"combine" Alice's certs.


	this is exactly what PolicyMaker (or some other tag program) is designed to 
do.  We'll have a write up of how to achieve that, once we get it past Matt 
and the list.

 - Carl