[cap-talk] Horton vs. ACLs - private namespaces and the Audit Problem
Jed Donnelley
capability at webstart.com
Thu Oct 11 01:50:52 EDT 2007
At 03:59 PM 10/10/2007, David Hopwood wrote:
>Karp, Alan H wrote:
> > MarkM wrote:
> >> Without asking us to wade through the text of these, can you provide
> >> us with any insight about how this could possibly be the case? How
> >> would one write an automated compliance predicate that could give a
> >> meaningful answer from such a low level trace of human-meaningless
> >> data? If the regulation is simply: "though shall record oodles of
> >> stuff", then I can see it. Otherwise, I can't imagine a compliance
> >> test that could be answered from these logs.
> >
> > Did Alan Karp access the file containing the upcoming quarterly results
> > during the quiet period in which he traded HP stock? While a response
> > of "no" is inconclusive, a "yes" lands Alan in a world of hurt.
> > Depending on what gets logged, you might only be able to ask if Alan had
> > permission to access the file. In this world, that makes Alan an
> > insider and is enough to get him in trouble.
>
>So if I have permission to the file, and authority to transfer that
>permission to Alan, I can frame Alan as an insider?
Using Horton you can delegate access to Alan, but you can't
make him access the delegated file. Of course you might
be able to induce him to access it by telling him it
was something that he would otherwise want to access.
This is true for ACLs also.
One difference between Horton and ACLs for this case
is that if you induce Alan to access the file after
a Horton delegation the access will still be labeled as
having been delegated from you. This may help Alan
defend himself.
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list