[cap-talk] - Karp - Capabilities - tracking responsibility (Was: Bellizzomi - Users in object/capability systems (was: MLS gone bad, Lampson))
Jonathan S. Shapiro
shap at eros-os.com
Fri Dec 1 10:54:24 CST 2006
On Fri, 2006-12-01 at 09:47 +0100, Rob J Meijer wrote:
> The difference is that accountability for the action may not actually lay
> with the entity that took the action but with one of the entities in the
> preceding delegation chain. Thus appropriate incident response may focus
> on the zone of influence of the entity that apparently is violating policy.
Oh it is *much* worse than that. In the presence of logging, all we
*really* know is that responsibility lies in the action of *some* party
who has caused a change in system state between the initial system load
and the moment of violation. For example, the real cause of fault may be
that a previous, nominally unrelated party caused a piece of utility
state to change that is now altering the behavior of that utility when
invoked legitimately.
Logging and authentication cannot fix responsibility. They can only fix
blame. The reason they are useful is that the case I describe is
relatively rare, and in consequence the process of logging and
authentication narrows the search space for the administrator.
Sometimes, of course, it narrows the search space in exactly the wrong
type of way...
shap
More information about the cap-talk
mailing list