[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Java programs, etc.
At 03:06 PM 4/15/97 +0200, Bryce wrote:
>Hm. I can issue a cert authorizing Alice to read and write in my
>"/tmp/foo" directory, and then later I can issue another one
>authorizing Alice to read and write my "/tmp/bar" directory.
>Alice is going to present these certificates at my firewall,
>which is going to take them, inspect them, generate similar
>certificates signed by itself, and then forward her WebNFS packets
>along with the new certificates to my WebNFS server.
>
>
>Now, the firewall _knows_ that anyone who is allowed to read
>and write "/tmp/foo" and "/tmp/bar" is also allowed to read and
>write "/tmp" itself. This is just my own personal policy.
>
>I have given the firewall instructions to compile certificates like
>the ones Alice has into a single certificate, issued by the
>firewall, stating that Alice can read and write in the "/tmp"
>directory.
>
>
>Thus, the firewall is going to, if not "augment", then at least
>"combine" Alice's certs.
AH,
this is exactly what PolicyMaker (or some other tag program) is designed to
do. We'll have a write up of how to achieve that, once we get it past Matt
and the list.
- Carl
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+
References: