[cap-talk] In Defense of Identities
Jonathan S. Shapiro
shap at eros-os.com
Tue Dec 5 07:35:13 CST 2006
I have watched the discussion under "tracking responsibility" with some
interest -- not least because I've been looking at how to put up a
collaboration environment for The EROS Group, and many of the serious
difficulties boil down to issues of identity management. I want to make
a case here in defense of identity-based controls.
Let me first qualify that: I do not propose that identity based controls
should replace capabilities. Capabilities provide a form of positive
authorization that is exceptionally useful and important for narrowing
authority, and I do not propose to change that. However, I think that it
would be useful to look again at the role of identities for
authorization.
I am contemplating here a system similar to SCAP, wherein capabilities
are necessary but not sufficient, and identity-based authorization is
additionally required.
I (of all people) understand why this is messy from any purist
perspective, but I want to go back to one of our core arguments, because
I suspect that it is technically correct and pragmatically irrelevant.
We have argued from a purist perspective that identity-based controls
are meaningless, largely because they cannot preclude proxying. I want
to test this argument against real-world threat models.
First, I want to note that there are two distinct types of proxying:
human proxying and software proxying. By human proxying, I mean proxying
wherein some explicit human action is required to enable the
communication channel. Three examples of human proxying:
1. Alice leaves a group, but asks Bob (who is still in the group) to
answer some question. Bob does.
2. Alice leaves a group, but asks Bob for access to something. Bob
grants Alice a proxy, whereupon Alice uses it.
3. Alice leaves a group, but asks Bob for access. The two parties
conspire to build a proxy that communicates using covert channels.
The first case cannot be prevented computationally. In an ACL system,
the second *can* be prevented -- at least to the extent that an
administrator can restrict cross-user invocations to invocations on
administratively authorized subsystems. The third cannot be prevented by
any technique I know about, but it has a high enough engineering and
expertise cost that it ranks fairly low in the threat space.
Software proxying relies on the installation of a Trojan horse, such
that software acting with Bob's authority conspires independent of Bob's
intent.
What I want to point out here is that from a threat model perspective,
absolute success in preventing conspiracy between Alice and Bob must be
considered a threat, not an objective.
Why?
Consider the signoff structure in a business. On a significant expense,
it is customary that two levels of management must sign off. Inevitably
one of those levels is traveling and delegates their signoff. This is a
situation where the overt rules are compromised to the objectives.
Even in military contexts, there is some degree of local discretion
about disclosure under combat conditions. The system relies on the
trustworthiness of the participants to make judgments in the field.
The question I am exploring is whether *all* conspiracy guards shouldn't
be viewed this way. That is, anti-human-conspiracy rules may all have an
exception, and if so our goal isn't to make them impossible; it's to
make them a sufficient nuisance. Perhaps the purpose of identity-based
controls is to set a high market price on conspiracy, not to prevent it.
In such a model, don't identity-based controls serve a valid purpose?
--
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
+1 443 927 1719 x5100
More information about the cap-talk
mailing list