[cap-talk] A paper on web-keys - discretionary control
Jed Donnelley
jed at nersc.gov
Fri Jan 18 17:24:14 EST 2008
On 1/18/2008 9:37 AM, Karp, Alan H wrote:
> James A. Donald wrote:
>> In an actually useful implementation, one that takes
>> advantage of the ways in which capabilities differ from
>> ACLs, rather than trying to implement ACLs in
>> capabilities, capabilities *will* result in
>> administrators losing control - and end users gaining
>> control.
>>
> Two points. First, the control the administrators
> think they have is illusory because they are considering
> permission, not authority. When delegation is difficult,
> users share their credentials. Second, there are times
> when the user doesn't know whether or not the delegation
> would violate policy. In that case, we'd like a mechanism
> that will enforce policy if the user cooperates. Jed
> described such an approach using Horton.
I agree with both of the above paragraphs.
However, let me mention that in today's market
leading systems (Unix, Windows), most (nearly
all?) management of access control is already
discretionary - already exercised by end users.
While it's true that in systems like unix the
means to manage groups is not available to
end users (gag!), still end users have ultimate
discretionary control over delegation (e.g.
world R/W/X).
I mention this to suggest that administrators
today have very little control over access
control decisions to begin with. Of course
this is an important reason why efforts like
SE-Linux persist (to the detriment of all in
my opinion), but even then the bulk of the
access control decisions are managed by
end users - if for no other reason than
that it is entirely impractical to have
administrators make all such local decisions.
I'd also like to reinforce Alan's second point
above. A mechanism like Horton that injects
an identity based Policy Decision Point into capability
communication "tunnel"s is not 'just' implementing
ACLs in capabilities. It's not because:
1. All access control actions are delegations
in the capability sense - even those that go
through Horton tunnels. All such actions
assume the best POLA that is available at the
local decision points. There is no ambient
sharing of authority (e.g. ID/ACL based).
and:
2. The policy enforcement decisions that are
made in the PDPs in modules like Horton are
assumed to be minimal bulk enforcements (e.g.
MLS violation, company sensitive violation,
etc.) that happen seldom either in the sense
of Voluntary Oblivious Compliance (when other
communication of delegation means are available)
or Mandatory Access Control (when other
communication of delegation means are not
available).
If policy based blocking of delegation happened
often in a system using a Horton-like mechanism,
the system would break down much like what happens
in dynamic SE-Linux systems. I hope and expect
that voluntary means of preventing policy
violations will carry the bulk of the load
and that it will only be occasional inadvertent
delegation in violation of policy or retroactive
authority revocation resulting from changing
conditions that the Horton PDP catches. E.g.
Bob asked for this document and I need him to
have access for the project we share, but it seems
the document is secret and Bob's clearance is only
confidential. Hmmm. What do I do now?
I expect such situations to arise rarely. We
won't know until we get there.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list