[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trust and Transitivity

At 6:32 AM -0700 5/23/97, Camillo Särs wrote:
>Which in SPKI would be expressed by not allowing Skywalker to delegate
>the privileges of the certificate.   So we agree that trust is not
>transitive, and I claim that SPKI makes the same basic assumption by
>requiring express permission to delegate.  And if I'm wrong, I'm quite
>sure someone will correct me.

The unfortunate part of this assertion is that the SPKI "Don't Delegate"
state is, of necessity, only a polite request.  It does not provide the
mathematical security that things like the digital signature do.  My
objection to it comes from the line of reasoning that says, I gave
Skywalker a Don't Delegate certificate, so there is no way he could let
Mary use the authority granted in that certificate.  People will go down
this garden path and be badly mislead about the security properties their
systems provided.

To put it another way:  If I give Microsoft Word the right to access my
file system, I can not prevent it from delegating that right to any macro
virus that comes along.  If my OS allowed me to run Word in a sandbox which
couldn't access my file system, then I would not need to worry about Word
macro viruses.

Yet another way of looking at it is: In the real world, you may trust
Pollard with your highest secrets.  You don't trust the KGB.  (Indeed, if
Pollard trusts the KGB, you won't suddenly trust them.)  However there is
nothing you can do to prevent Pollard from giving those secrets to the KGB.

You can punish him severely after the fact, but the secrets are still gone.
While there may be some satisfaction in punishing a human, there is much
less in punishing a program.  (What is appropriate punishment for a
program?  Erasing it form the file system?)

In computers, the only thing we can deal in is authority.  While we would
like the authorities we grant to match our trust model, there are
limitations on what we can actually achieve.

I realize that the properties you get by preventing delegation are nice.
The problem is that they aren't technically achievable.  If you take the
view that you should only do what you can do, then you need to build your
security model on what is possible.

When you accept this limitation and start reasoning in a proxying paradigm,
you still have a number of nice properties.  (And you have much more
respect for the principle of least privilege.)

Bill Frantz       | The Internet was designed  | Periwinkle -- Consulting
(408)356-8506     | to protect the free world  | 16345 Englewood Ave.
frantz@netcom.com | from hostile governments.  | Los Gatos, CA 95032, USA