[cap-talk] VOC <-> DAC distinction (was: RE: In defense of P-1935)
Jed Donnelley
capability at webstart.com
Sat Feb 2 18:00:21 EST 2008
<posted to cap-talk to share discussion of this
distinction between Voluntary Oblivious Compliance,
VOC, and traditional Discretionary Access Control,
DAC - I hope that's OK Alan>
At 01:22 PM 2/2/2008, Karp, Alan H wrote:
>Jed wrote:
> >
> > I even believe that such inserted Policy
> > Decision Points (PDPs) can be used to support
> > both discretionary access control (if other
> > communication channels are available - Alan
> > Karp refers to this situation as "Voluntary
> > Oblivious Compliance") or for mandatory
> > access control (if the only available
> > channels go through the PDPs).
>
>One minor point is that VOC is distinct from DAC. DAC depends on
>the fact that you won't delegate if doing so would break the
>rules. VOC allows you to try to delegate but the delegation will
>fail if allowing it would break the rules. VOC is like MAC in that
>regard, but it depends on you using only approved mechanisms. Most
>ACL systems are VOC, not MAC, at least when we're talking about people.
As this seems to be a private message (I guess just
a response to my cc'ing you on the Huskamp/Gligor note),
I'll respond just to say I believe I understand the
distinction you're making.
Also in the "minor" category, regarding a definition
of DAC, e.g. as per Wikipedia:
_____________
In computer security, discretionary access control (DAC) is a kind of
access control defined by the Trusted Computer System Evaluation
Criteria[1] as "a means of restricting access to objects based on the
identity of subjects and/or groups to which they belong. The controls
are discretionary in the sense that a subject with a certain access
permission is capable of passing that permission (perhaps indirectly)
on to any other subject (unless restrained by mandatory access control)".
_____________
, it seems to me this definition of DAC covers
VOC. I agree and fully support the notion
that VOC adds value beyond traditional DAC
(e.g. with ACLs) by permitting an effort to
be made to delegate (I need to do just this
POLA delegation, What about it? - e.g. through
a Horton tunnel) that can then be blocked by
a PDP if appropriate. Since it's VOC, if
the subject gets a negative (nope, that
delegation would violate the delegation
policy that is supported through this PDP),
the subject would have the option of going
beyond the VOC delegation mechanism -
however much trouble and/or contravening
of organization policy that might require.
Maybe you have a definition of DAC that
excludes VOC? To me it has always seemed
that VOC is a value added subset of DAC.
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list