[cap-talk] Mandatory Access Control (was: What's "Discretionary Security")
Jed Donnelley
capability at webstart.com
Wed Jan 3 03:05:19 CST 2007
At 12:42 AM 1/3/2007, Jonathan S. Shapiro wrote:
>On Tue, 2007-01-02 at 20:22 -0800, David Wagner wrote:
> > By the way, I would caution folks against thinking that the Rainbow
> > series are definitive texts on computer security, or that they are a good
> > reflection of modern thinking and conventional wisdom about computer
> > security.
>
>Actually, this was true even when they were written. The Rainbow Series
>was authored in the spirit of capturing existing best practices. It was
>not an attempt to cohesively organize the area. A cohesive treatment was
>the goal of the "Federal Criteria" project, which was started
>afterwards.
>
>Unfortunately, the Federal Criteria effort was halted when the US
>decided to join the Common Criteria effort (which *also* is not an
>attempt at a cohesive treatment). This is a source of deep frustration
>to many of the people who were involved in the Federal Criteria effort.
>
>So: the Rainbow Series is at best a capture of best practices. It is not
>a definitive look at computer security, and never was.
I referred to the Rainbow "Technical Rational" article:
http://csrc.nist.gov/secpubs/rainbow/std004.txt
because that's what the Wikipedia article:
http://en.wikipedia.org/wiki/Mandatory_access_control
refers to. I'd be delighted if somebody could point to some coherent
definition of "Mandatory Access Control" so we didn't have to struggle
with it on the list. It would be even better if such a definition were
commonly accepted, but even coherence would be a big step forward IMHO.
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list