On Mon, Feb 2, 2009 at 10:39 AM, Karp, Alan H <span dir="ltr"><<a href="mailto:alan.karp@hp.com">alan.karp@hp.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
We have proposed something similar for the Navy to support Risk Adaptive Access Control (RADAC) with ZBAC. The user's identity, or more likely set of attributes, is used to make a context dependent decision on whether or not to honor the capability. For example, the capability will be honored unless we're at war with Canada and the submitter is a Canadian. It's important that the NBAC check be used only to reduced the rights carried in the capability, or you can get a confused deputy.<br>
</blockquote><div> </div></div>If you use the NBAC (autheNtication-Based Access Control) check to reduce rights, whether by ACLs or Horton, you can still get a confused deputy. However, in a hybrid system, you have two knobs to turn: 1) of the authority at stake, to what extent are you protecting it using ZBAC (authoriZation-Based Access Control) vs NBAC? And 2) for the NBAC portion, is it Horton-like or ACL-like. <br>
<br>Current systems can be modelled as hybrids with the knobs set all the way to NBAC, and using ACLs for their NBAC, and so have all the problems we like to talk about on this list. <br><br>Ocap systems can be modelled as hybrids in which we do not use ACL checks at all -- setting knob #2 to Horton. Ocap best practice can further be modelled by setting knob #1 to only using Horton's NBAC check for reactive control in emergency situations, like war with Canada, but otherwise trying to stay safe using only proactive ZBAC controls.<br>
<br clear="all"><br>-- <br>Text by me above is hereby placed in the public domain<br><br> Cheers,<br> --MarkM<br><br>