[cap-talk] Trust and the Orange Book

[Jed Donnelley]

On 1/15/2008 5:17 PM, Marc Stiegler wrote:
> Another problem with this approach is the rather fantastical
> presumption that the central administration with control of access
> rights, typically a person in an IT bureaucracy, has information even
> as good as Alice about the appropriateness of the grant of access.
> 
> For the sake of the IT folks, so that they may have jobs defined in
> such a fashion that they may perform those jobs competently, they must
> be allowed to relieve themselves of the burden of making decisions for
> which they are ignorant of all the crucial facts on-the-ground.
> 
> The head of a joint HP-Intel project has the knowledge to set up
> access control on HP resources for Intel project members; the IT folk
> do not. So the head of that project must be able to delegate access
> control to someone else who has as many facts as he has (another
> member of the project team) since the project head has too many other
> burdens to be spending his days fiddling with access control (either
> acls or obj-caps).
> 
> As Alan says, a VOC solution is left as an exercise for the reader.

As you may see in my response to Alan's message, I argue
that the Horton mechanism can be used to provide the needed
VOC solution.  That is, Horton can allow discretionary
delegations within a policy framework of Voluntary
Oblivious Compliance 'enforced' through Horton
policy modules (and audited, tracked, etc. through
Horton - matching Horton IDs with whatever labels
are on the resources that should be "controlled").

I'll be interested to hear what might be missing from
such a solution.

--Jed  http://www.webstart.com/jed/