[cap-talk] Comprehensive Security Policies on Capability Systems
John Carlson
john.carlson3 at sbcglobal.net
Mon Jan 15 12:08:18 CST 2007
On Jan 15, 2007, at 9:24 AM, Neal H. Walfield wrote:
> At Mon, 15 Jan 2007 08:50:49 -0800,
> John Carlson wrote:
>>
>>> but how to use capabilities and
>>> these patterns to implement a more comprehensive security policy.
>>> Could anybody point me to some relevant exposés?
>>>
>> You mean like how to secure services such as a network file system?
>> Check out Jed's references. For this, you need some kind of PKI,
>> like GPG.
>
> That's a protection mechanism, not a security policy. I mean like how
> to use capability based security to implement something like Chinese
> Wall, MLS, RBAC, etc., or something which solves a similar problem,
> for instance, the power box and gift directories patterns can replace
> Unix style security.
The policy for capabilities is the Principle of Least Authority (I
hope...I'm
not quite sure of what a security policy is). That is, don't give
someone
a capability to what you don't want them to see.
By RBAC you mean role based access control? For a role based
access control, you would give a role a capability, and then give people
a capability to the role (probably a facet, so they couldn't access the
role's capability directly), I imagine. The capability to the role
would be
revocable, so you could remove the role from someone.
I just found out what Chinese Wall was. What I would do is separate
the computer systems from each other. If this isn't possible, then I
would
employ encryption and secure the services. If someone gives someone
else the key to the Chinese Wall (by Jed's design in section 13 of
Managing
Domains... I referenced in a previous email), you should be able to
1) figure
out who you initially granted the capability to, by looking a the
capability and
2) figure out who tried to use the capability, by looking at the
public key you
have stored on your public key ring (that is, who signed the
capability), so
you know exactly who to fire. If the person isn't on your public key
ring, you
wouldn't give them access, and you would have to track back to their IP
address etc. Each service could have its own public key ring.
As I said, people have the inalienable right to communicate
capabilities.
The idea would be to let them know the disadvantages to communicating
them.
I think someone else can address MLS, eek.
John
More information about the cap-talk
mailing list