[cap-talk] network level designation and authorization

[David Hopwood]

Marc Stiegler wrote:
>>would an easy to use virtual private networking toolkit provide the
>>best network level designation / authorization mechanism?
> 
> No. VPNs as normally defined are terrible authorization mechanisms: you 
> are either inside, with all the authority, or outside, with none of the 
> authority. To achieve pola, every individual entity should have access 
> to exactly the least number of objects "inside" as they need, regardless 
> of whether the user is "inside" or "outside". Of course, if every 
> individual receives exactly pola authorities, it makes a mockery of the 
> very concept of "inside" versus "outside". Inside and outside become 
> particularly silly concept for Alice, who needs access to 2 files inside 
> Bob's firewall, and 1 web page and a database view inside Carol's firewall.

Not to mention that systems which rely solely on "perimeter defence", i.e.
protecting an inside from an outside, are extremely brittle. It often takes
only one vulnerability to completely bypass a perimeter defence system.

(This could be considered either a consequence of lack of POLA, or an
independent criticism, but either way it is devastating.)

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>