[cap-talk] VOC <-> DAC distinction (was: RE: In defense of P-1935)
Karp, Alan H
alan.karp at hp.com
Sat Feb 2 18:30:22 EST 2008
Jed wrote:
>
> Maybe you have a definition of DAC that
> excludes VOC? To me it has always seemed
> that VOC is a value added subset of DAC.
>
In DAC the transfer of rights is allowed unless "unless restrained by mandatory access control". VOC recognizes that we might be working with unconstrained subjects so there are no mandatory controls. Basically, VOC says "Use the approved mechanism, and you won't accidentally violate policy." DAC with MAC restrictions says "There is only the approved mechanism." DAC without MAC says "You need to know the policy to avoid violating it."
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list