[cap-talk] Bill Frantz HP challenge (was: Re: [Confused deputies in hybrid systems (was: Loss of control))

Bill Frantz frantz at pwpconsult.com
Tue Feb 5 01:16:13 EST 2008 

jed at nersc.gov (Jed Donnelley) on Monday, February 4, 2008 wrote:

>On 2/4/2008 4:51 PM, Bill Frantz wrote:
>> This thread is generating more confusion than light in my mind.  So,
>> let me go back to a simple example, based in Alan's example of the
>> HP financials leaking early.
>> 
>> Assume the HP financial data is kept on an internal web server and
>> accessed through a web interface with a YURL.  (In the real
>> situation, it was kept in a spread sheet and passed around as an
>> email attachment.  Thus it easily went outside HP.)  The security
>> policy says, "No access to this data by non-authorized people or
>> from outside HP."  The authorized people are given the YURL, and the
>> firewall keeps people from accessing the server when they are
>> outside.
>
>Let me ask a couple of questions about the ground rules.
>
>Where does the no access "from outside HP" requirement come
>from?

For the sake of this challenge, it is a requirement that came down
from the legal department to protect HP's interests in not
pre-announcing financial information.  It is probably worth
discussing whether location based security policies serve any useful
function, but if we discuss them, please do it in a different
thread.


>For that matter, what does it mean no access "outside HP"?

The data can only be accessed if the end-point of the access is on a
HP network.  The policy is enforced by technical means as much as
possible, which today means a firewall.  For circumventions of the
firewall, administrative sanctions may be imposed.  If there is a
better way, with different technology, that would be of interest.


>That said, let me address:
>
>> If we wanted to enforce this policy without using anything like the
>> firewall, just using capabilities, what would we do?
>
>First I should note that what you've started as an implementation
>(pass around YURLs) is already fraught with problems.  How do I
>know if I can re delegate a YURL that I have?  Consult a list?
>Where is the VOC policy support?

Probably in this case, you would be told that you need
administrative approval to delegate, ignoring the need to delegate
to the browser to actually use the YURL.  The administrative
procedure would apply the VOC policy.  There might also be a way to
delegate to someone who also has the same authority ala the "you can
have it if you can show you already have it" mechanism MarkM
described.  (This mechanism needs to be updated for Horton to show
the correct who for responsibility purposes.  Which who should be
responsible is not at all clear to me.)


>I'm sure people are going to think I have Horton on the
>brain when I propose a Horton based solution, and they
>would be right.  For me Horton puts exactly what is needed,
>namely knowledge of "who" is responsible for which actions,
>into capability systems.
>
>So the basis of the solution is that people communicate
>to other people (programs run by other people, people
>or programs outside HP, etc.) through Horton tunnels.
>We have to label the data accessed by the YURL as
>something that can be associated with the authorized
>people, e.g. board-only.  The people authorized are
>those on the board.
>
>Then the solution is obvious.  The Horton policy mechanism
>(much like the MLS proposal I described:
>
>http://www.eros-os.org/pipermail/cap-talk/2008-February/009758.html
>
>) blocks access by anybody not on the "board" list
>(authorized) to the data labeled as "board only".
>Delegations can of course still happen, but they must
>be through Horton tunnels.  If I want to send an email
>to a colleague with this YURL I have to do it through
>a Horton tunnel.  The capability she receives isn't
>the one that I sent.  It has been relabeled as having
>been delegated to her (or her outside HP, see below).

It sounds like this mechanism needs some form of confinement so the
YURLs to through the Horton tunnel.  One possibility is a VOC
system.  We do still have the problem of the authorized person why
took his laptop home and should not be able to access the data from
home, but hasn't even copied the YURL, much less delegated it.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | gets() remains as a monument | Periwinkle
(408)356-8506      | to C's continuing support of | 16345 Englewood Ave
www.pwpconsult.com | buffer overruns.             | Los Gatos, CA 95032

More information about the cap-talk mailing list