[cap-talk] Capabilities - the rub, an account
Karp, Alan H
alan.karp at hp.com
Sat Nov 25 22:01:51 CST 2006
Rob J Meijer wrote:
> If you can get the issue of accountability and incident response
> into the users way of thinking (what should not be that hard an
> abstraction to get used to), you could be reasonably sure
> that the user
> "will not" pass rights unexplicitly.
Unexplained or inadvertant passing of capabilities is not the only
issue. How is a user to know whether or not policy permits a particular
capability to be passed? Since that user could always proxy, any such
mechanism must be Voluntary. However, requiring every one to know all
the rules all the time is asking too much. Hence, any mechanism should
allow users to be Oblivious of the rules. Of course, the bottom line is
Compliance with policy. Voluntary Oblivious Compliance.
I believe that the goal of having sysadmins control changes of
permissions is to achieve VOC. It may work, but it's a clumsy tool.
It's so clumsy that people find workarounds, such as sharing passwords,
that are far worse than the problems it solves.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
More information about the cap-talk