[cap-talk] Capabilities vs. Classifications - MLS systems?
jed at nersc.gov
Thu Jan 5 15:46:18 EST 2006
At 08:50 AM 1/5/2006, Karp, Alan H wrote:
>...there's another aspect to the problem, voluntary oblivious
>compliance (VOC). Say that Alice asks Bob for a file that he can read.
>If Bob doesn't care about the rules, or he wants to break them, he'll
>get the contents of the file to Alice by some means. No mandatory
>access control, except one that prevents him from sending a message to
>Alice, can prevent it.
We agree on that.
>On the other hand, Bob may want to obey the rules, but he may not know
>them. Real security systems are far more complex than just a single set
>of levels. Even matrix security, with levels and compartments, doesn't
>capture all the policies people would like to enforce. Further, the
>rules are constantly changing. A system that supports VOC allows Bob to
>send Alice a handle to the file that Alice can only use if the policy
>allows her access. We implemented such a mechanism in Client Utility
>(e-speak Beta), and MarkM has figured out how to do something similar in
>E. I call this control "mandatory" if Alice's use of the handle is
>prevented by something other than the file server. That's different
>from Jed's definition, but I believe mine has value.
(it seems to me you've reversed the typical roles of Alice and Bob above,
but I'll follow the above use).
When you say that "real" security systems are far more complex, I
believe therein lies the problem with such systems. I think people
can understand POLA. Don't trust any subject with anything they
don't need access to and then of course only if you believe the subject
to be trustworthy. However, if you do need to trust them and you do
believe them trustworthy, why should any over arching policy, with
whatever complexity and changing nature, stop you from doing so -
thereby forcing you to proxy to get your legitimate work done?
"the rules are constantly changing"? How does anybody get any
I believe that any such policy (any form of "do not copy") that
effectively prohibits POLA from being directly applied ends up
being counter productive, even "VOC". I respect your opinion
on this Alan, but I hope I can respectfully disagree.
More information about the cap-talk