[cap-talk] Too delicious for words

[Karp, Alan H]

I am participating in a DoD working group on RESTful services.  There is a lot of resistance to ZBAC in general and web-keys in particular.  In today's conference call, we had a dramatic demonstration of why those objections are off the mark.

Several participants were stressing the need for centralized control over who can see what documents.  They all agreed that the user was the last person you wanted making access decisions via delegation.  One caller said the justification was spelled out in a report in a SharePoint workspace on Intelink, a set of web sites with unclassified content for use by the US intelligence community.  When I mentioned that I can't get an account because I don't have a government sponsor, one of the people emailed me a copy of the document.

They all seemed shocked when I pointed out that they had just violated the centralized access policy.  (The sender jokingly said she was going directly to the brig.)  I then pointed out that if I had been sent a web-key to a URL behind the Intelink firewall, there would have been no violation.  At that point, there was some general mumbling, and the group decided to move on to another topic!

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp