[cap-talk] network level designation and authorization
Marc Stiegler
marcs at skyhunter.com
Wed Jun 7 20:06:44 EDT 2006
>
> would an easy to use virtual private networking toolkit provide the
> best network level designation / authorization mechanism?
No. VPNs as normally defined are terrible authorization mechanisms: you
are either inside, with all the authority, or outside, with none of the
authority. To achieve pola, every individual entity should have access
to exactly the least number of objects "inside" as they need, regardless
of whether the user is "inside" or "outside". Of course, if every
individual receives exactly pola authorities, it makes a mockery of the
very concept of "inside" versus "outside". Inside and outside become
particularly silly concept for Alice, who needs access to 2 files inside
Bob's firewall, and 1 web page and a database view inside Carol's firewall.
--marcs
More information about the cap-talk
mailing list