[cap-talk] Any hope in RSA 2008?

Jed Donnelley jed at nersc.gov
Wed Apr 2 18:59:34 EDT 2008 

On 4/2/2008 3:17 PM, Karp, Alan H wrote:
...
> You missed one, "Solving the Transitive Access Problem for SOA", Alan Karp...

Oops.  Sorry about that:

Solving the Transitive Access Problem for SOA
Alan Karp | Principal Scientist, Hewlett-Packard

Managing the access rights of an indirect service request
has been found to be an insurmountable problem in SOA
implementations. Problems can arise due to poor choice of
an access control model. Solutions based on user identity, role
or attributes cannot work for some common access patterns.
This presentation will show that using explicit authorizations
makes the solution straightforward.

I guess that is a measure of my miss rate while scanning.
It does get a bit tiresome.

> I recommend that anyone on this list with a low boiling point
> stay away from the SOA and identity management talks at the
> conference.  The amount of nonsense spouted as best practice
> boggles the mind.

It isn't just those areas.  The whole thrust of the conference
(mostly intrusion detection and configuration management on
the technology side) seems to suggest pursuing nonsense as
solutions - though whether these directions should be considered
"best practices" I can's say.  Sadly, a conference like this
and the earlier Usenix Security Conference that I attended
give me little hope for improvement on the computer security
front.

I think we all (except perhaps for the computer security professionals?)
know what we'd like.  To be able to stand up system that perform
functionally and not have to worry about attacks adversely affecting
them.  To have the intent of computer security (e.g. as seen through
user interfaces) match it's reality.  It seems quite unfortunately to
me that so much capital is being "wasted" in fighting fires and pursuing
ineffective defensive strategies in this area.

Regarding:

> Go to the crypto sessions.  At least what's presented there makes sense.

, there does seem to be some work in that area that can be positive
and result at least in some progress.  There the technical problems
are fairly clear and the efficacy of solutions can be better measured.

Thanks for the note Alan.

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list