[cap-talk] Bill Frantz HP challenge (was: Re: [Confused deputies in hybrid systems (was: Loss of control))

Thu Feb 7 17:50:09 EST 2008

I'm mixing two threads on the same subject.  And sorry, I'm still
trying to catch up with this list.  (And am silent since I don't
like to post unless caught up.  But I'm making an exception with
this post.)

alan.karp at hp.com (Karp, Alan H) on Tuesday, February 5, 2008 wrote:

>Bill Frantz wrote:
>>
>> If we wanted to enforce this policy without using anything like the
>> firewall, just using capabilities, what would we do?  We need to
>> construct some structure of capabilities to define what is outside
>> and what is inside.
>>
>The statement of the problem implies that there is a way to distinguish "inside" from "outside".  Why 
>not just put a membrane around "inside" and never accept an "inside" capability that came from 
>"outside"?

A membrane is a fine structure of capabilities.  Can we build a
membrane for YURLs?

capability at webstart.com (Jed Donnelley) on Wednesday, February 6, 2008 wrote:

>At 02:46 PM 2/5/2008, Karp, Alan H wrote:
>>Jed wrote:
>> >
>> > I think the difficulty with this situation is that the only
>> > place there is information about where this communication is
>> > coming from is in the firewall.  To deal with this I suggest
>> > a forwarding service.  The main service is simply not available
>> > for access directly from outside the firewall.  It only accepts
>> > "outside" requests from the forwarding service.  The forwarding
>> > service does the delegation from an inside identity to the
>> > corresponding "outside" identity.  When this request gets
>> > forwarded to the inside server, it has the information that
>> > it needs to enforce it's policy (inside or outside).
>> >
>>Or you could just VPN in and be logically inside the firewall.
>
>I think the issue (correct me if I'm wrong BillF) is that
>Bill wants (his policy says) that connections from outside
>the corporate network should be refused for these sensitive
>objects.  I think by that he means that if you VPN in then
>your connection should be refused - right Bill?  The difficulty
>that I see is distinguishing VPN from other "inside" connections.

I admit that I don't know how HP management is likely to answer this
question.  It seems reasonable to have a policy that the data is
only accessed from inside the HP campuses to minimize the dangers of
shoulder surfing.  On the other hand, HP may consider users coming
in thru a VPN as "inside".  There also may be a mixed mode where
only the VPN connections from other HP campuses are considered
"inside".

With Jed's suggestion, we would (or would not) make the service
available to the appropriate VPN end points.  In that case the
service is not available, the VPN end points would have the job of
vetting YURLs given them against the location policy, or we are back
to something that looks a lot like a firewall that keeps the end
points from sending packets to the HTTPS server for the YURLs.

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"We used to quip that "password" is the most common
408-356-8506       | password. Now it's 'password1.' Who said users haven't
www.periwinkle.com | learned anything about security?" -- Bruce Schneier