<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1051226443;
mso-list-type:hybrid;
mso-list-template-ids:-167378216 -1879300142 201916419 201916421 201916417 201916419 201916421 201916417 201916419 201916421;}
@list l0:level1
{mso-level-start-at:2;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:1354263945;
mso-list-type:hybrid;
mso-list-template-ids:-1532714614 1507724428 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:5;
mso-level-number-format:bullet;
mso-level-text:\F0E8;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l1:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-AU link=blue vlink=purple>
<div class=Section1>
<div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><snip Replied in other message><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo2'><![if !supportLists]><span
lang=EN-US style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'><span
style='mso-list:Ignore'>è<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>All
we are doing is limiting what rights the user (Actor) can delegate</span><span
lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p></o:p></span></p>
<div>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>The only meaningful limit is that users can only delegate rights
they have. It makes no sense from a security standpoint to prevent them
from delegating those rights because they can always use them on behalf of the
party they wish to delegate to. The only exception is if you’re worried
about users making mistakes.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>BK> Agreed. Some rights may require a stronger confirmation
if the risk of a mistake is higher,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo2'><![if !supportLists]><span
style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'><span
style='mso-list:Ignore'>è<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Im no
expert and still learning but I can see how a file/Open and setup/configure
trusted dialogs can grant privilege but I don’t see how you can do
it without giving the user (Actor) carte blanche access to the machine,
which in some cases is not desirable. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The Actor has some set of rights that it can delegate.
There’s no reason that implies carte blanche access. Some Actors
will have more rights, some of them less.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>BK> But what about all those OS files , Device drivers ,
Creating users , services and all the other non file rights. ( I talk about
this in the other message more eg is the first user a admin user ) </span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo2'><![if !supportLists]><span
style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'><span
style='mso-list:Ignore'>è<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Secondly
if there are any bugs with these trusted controls you are completely open eg
click jacking even though you can’t access the API /message loop
there are ways to manipulate UI rendering so the user (Actor) is clicking
on something he shouldn’t normally approve. In both cases the
concept of user rights is almost meaningless and it is just a container to hold
the user group relationship and rights to home directory . Lastly access
on shared servers is normally controlled through such groups. <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>Clickjacking is a particular attack against a browser
interface. As Tyler pointed out in “ACLs Don’t”
capabilities in the form of webkeys defeat clickjacking because the attacker
doesn’t know the URL for the page holding interesting authorities.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>BK> Disagree that click jacking is limited to browsers. It
affects browsers because it’s rendered from css and web pages have flexible
layout. I have seen click jacking with forms by using full transparency. This
is a bit of an issue for me as it is very likely that the UI I will be using
will be rendered ( prob using Moonlight from Xaml) , the same rules apply its
just a bit more tricky as it the security interacts with the rendering engine.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>The problem with thinking of user rights in terms of accounts
and groups is that there is no way to modify the access rules from within the
model. You need a set of meta-rules outside of the basic mechanism, such
as the owner can change the ACL entry, but “owner” is not part of
the basic ACL model. A better way of thinking of user rights, whether
local or on a shared server, is to think of a c-list. The dynamic
delegatability of capabilities allows for modification of the access rules
within the model.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Agree on the issue of modify the access rule in the model and
that groups are no issues and are easily modeled by a Capability List . <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>It’s the interaction with ACL systems and how to manage if
say you have a Directory Server , A Capability File Server and Older NT File
Server (Acl) , Machines running Windows 7 , Macs and machines running a new Capability
OS. How do you interact the capabilities ? I’m not designing a
Research system but a practical one. Windows allows you to add Domain groups
to local groups eg you can add Domain Admins to Administrator and Domain Users
to Users and all domain users can the login with User or Admin rights. How do
you model that any user in the organization can log in get basic rights from the
tree , deploy his allocated applications from the tree and access his files on
the server. I seem to always need this user –Group mapping is there a
nicer way .. I need to rethink.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>You are right that there is the possibility that the user will
make a mistake. That’s where Voluntary Oblivious Compliance comes
in.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>BK> But VOC from little what I have read of it still relies
on another user. <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo2'><![if !supportLists]><span
style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'><span
style='mso-list:Ignore'>è<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>By
providing an underlying layer with escalations I can limit what the user
(Actor) has access to though I still can provide full machine rights for
a home user (Actor) based on a policy setting. In addition it
can work well with existing file servers , directories such as NDS and AD of
which you have no change to ever replace. <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>Any access control model must be able to grant full rights to
some users and restrict the rights of others. That’s not
enough. You also need to think about the rights of processes the user
starts. Today, those processes get all the user’s rights, which is
the root cause of the virus problem. Capabilities make it easy to do
better, and there are numerous examples of how to interface them to standard
file systems. Directories, such as AD, are one way to specify what might
be called the user’s installation endowment in a capability system.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>BK> I think I understand capabilities and its benefits by
limiting it to apps it aligns well with OO programming and strongly typed/mem
safe systems . What I still don’t get I think is who has the privilege
rights to install device drivers on say a new system and </span><span
lang=EN-US style='font-size:10.5pt;font-family:Consolas;color:#1F497D'>the “user’s
installation endowment” or “User namespace” and how this is
different from user/group rights ? Is the privilege right just an admin user
who logs in first with lots of rights ? <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>Anyway I need to think on this for a while… especially the
AD integration. <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>Regards, <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>Ben </span><span lang=EN-US style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>________________________<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>Alan Karp<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>Principal Scientist<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>Virus Safe Computing Initiative<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>Hewlett-Packard Laboratories<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>1501 Page Mill Road<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>Palo Alto, CA 94304<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'>(650) 857-3967, fax (650) 857-7029<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:Consolas;
color:#1F497D'><a href="http://www.hpl.hp.com/personal/Alan_Karp">http://www.hpl.hp.com/personal/Alan_Karp</a><o:p></o:p></span></p>
</div>
</div>
</div>
</body>
</html>