[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)

Dave Chizmadia - Gmail davechiz at gmail.com
Fri Jun 26 18:17:36 EDT 2009 

Adam,

You wrote:
> I find it helpful to think of security properties as falling 
> into the categories confidentiality, integrity, and availability.  
> This is not a particularly strong notion of confidentiality.

Lost in the distant past (either 1983 for TCSEC people or 2 years 
ago for recent university grads) there was one more category 
called "accountability". By all of your descriptions, this is an
exact fit for the concerns that you're expressing. The primary 
motivation for accountability is the need to assign responsibility 
for actions in the system.

As an alternative to the CORS Origin: proposal, both Sandro Magi
and myself have proposed variations on the reusable "secret" 
token.

Rather than rehash what we've already proposed, I'll transliterate
the ideas into my interpretations of physical world equivalents.

Consider the case where Chic-Fil-A offers to pay my son's school 
a percentage of each order placed by a person the school has 
directed toward Chic-Fil-A. The "security" challenge is to 
accurately account for the orders placed as a result of the 
promotion.

As I understand it, the CORS approach seems to be equivalent to 
a person placing an order stating that they wish the order to be
counted under the school promotion. This is very simple and the
checker will know what promotions are in effect and key in the
appropriate code to ensure that the school gets creadit for the 
sale. There is no intrinsic authentication of the claim - which 
is fine for the school, but could cost Chic-Fil-A money if a
student is standing by the entry asking people to make that 
statement.

The proposal by Sandro and me is the electronic equivalent of a 
reproducable coupon to the limited time ("good until 10pm tonight") 
or limited use ("first 500 orders from the school") promotion that 
the school distributes to its students and teachers. By having a 
slightly complex to create, but easy to copy identifier in the 
coupon (a bar code on paper or a self-signing URI electronically), 
you can get a relatively strong solution to the casual level of 
accountability that you've been describing, since the school would
have to go to some trouble to copy and distribute the coupons.

My immediate questions are whether this is a realistic example 
of the concerns you're trying to address with CORS and a fair 
projection of the CORS approach into the real world example?

-DMC

More information about the cap-talk mailing list