[cap-talk] Bee Eyes (was: "ACLs don't" paper rejected from Oakland 09)
Mark Miller
erights at gmail.com
Mon Feb 2 14:00:02 EST 2009
On Mon, Feb 2, 2009 at 10:39 AM, Karp, Alan H <alan.karp at hp.com> wrote:
> We have proposed something similar for the Navy to support Risk Adaptive
> Access Control (RADAC) with ZBAC. The user's identity, or more likely set
> of attributes, is used to make a context dependent decision on whether or
> not to honor the capability. For example, the capability will be honored
> unless we're at war with Canada and the submitter is a Canadian. It's
> important that the NBAC check be used only to reduced the rights carried in
> the capability, or you can get a confused deputy.
>
If you use the NBAC (autheNtication-Based Access Control) check to reduce
rights, whether by ACLs or Horton, you can still get a confused deputy.
However, in a hybrid system, you have two knobs to turn: 1) of the authority
at stake, to what extent are you protecting it using ZBAC
(authoriZation-Based Access Control) vs NBAC? And 2) for the NBAC portion,
is it Horton-like or ACL-like.
Current systems can be modelled as hybrids with the knobs set all the way to
NBAC, and using ACLs for their NBAC, and so have all the problems we like to
talk about on this list.
Ocap systems can be modelled as hybrids in which we do not use ACL checks at
all -- setting knob #2 to Horton. Ocap best practice can further be modelled
by setting knob #1 to only using Horton's NBAC check for reactive control in
emergency situations, like war with Canada, but otherwise trying to stay
safe using only proactive ZBAC controls.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20090202/1eee2062/attachment.html
More information about the cap-talk
mailing list