[cap-talk] A useful strategy
Karp, Alan H
alan.karp at hp.com
Wed Sep 30 10:51:49 PDT 2009
I've been participating in the US DoD Privilege Management Tiger Team (PvMTT). (Don't ya just LOVE that military talk?) There's been a lot of back and forth about ZBAC, mostly back (as in push back). At one point in the discussion, one of the most active participants wrote, "we want to create universally accepted identities that assert attributes and can be authenticated at a decision point." I replied with the following.
"Let's say we have the perfect, universally accepted identity system, and I make a request of a Pentagon web service. You know exactly who I am. Will you honor my request? No, unless it's a public service, in which case my identity doesn't matter. The issue is that knowing who is making the request doesn't tell you what access policy to apply."
Ever since then, the discussion shifted from whether to implement ZBAC to questions about how to implement it.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list