[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New drafts just submitted

Carl - I have had a chance to read thru the theory document.  It is the
clearest exposition I have yet seen of the ideas.  Congratulations!  I
particularly liked the summary of the delegation discussions.

One typeo, and one gratuitous comment:

>6.3 5-tuple Reduction Rules
>   The two 5-tuples:
>   <I1,S1,D1,A1,V1> + <I2,S2,D2,A2,V2>
>   yield
>      <I1,S2,D2,AIntersect(A1,A2),VIntersect(V1,V2)>
>   provided
>    the two intersections succeed,
>    I1 = S2
>   and
>    D1 = TRUE
>   If S1 is a threshold subject, there is a slight modification to this
>   rule, as described below in section 6.3.3.

Shouldn't it say "S1 = I2" instead of "I1 = S2"?

>7.6 Key Revocation Service
>   ...
>   As the world moves to having all machines on-line all the time, this
>   might be the user's machine.  However, until then -- and maybe even
>   after then -- the user might want to hire some service to perform
>   this function.  That service could run a 24x7 manned desk, to receive
>   phone calls reporting loss of a key.  That authority would not have
>   the power to generate a new key for the user, only to revoke a
>   current one.

Unless authorization for the revocation is carefully controlled, this is a
wonderful opportunity for a denial of service attack.  I actually had the
joy of being able to say to a person who had just described how their
(mainframe) system disabled accounts after 3 invalid passwords, "Oh, how
nice.  What is your user name?"

Bill Frantz       | Macintosh: Didn't do every-| Periwinkle -- Consulting
(408)356-8506     | thing right, but did know  | 16345 Englewood Ave.
frantz@netcom.com | the century would end.     | Los Gatos, CA 95032, USA