[E-Lang] draft statement of consensus

Bill Frantz frantz@pwpconsult.com
Wed, 7 Feb 2001 10:08:14 -0800

At 8:46 AM -0800 2/7/01, Karp, Alan wrote:
>Actually, my reading of the matter is quite different.  I believe the Orange
>Book attempts to express in computer terms policies that were in effect long
>before computers were used to hold confidential information.  This approach
>is quite common, using a new technology to implement existing procedures.
>You'll note, for example, that the policies are information, if not file,
>specific.  They say little about invocation.  Instead, they center on
>controlling information flow across security levels.  I don't see anything
>about assuming programs having the full authority of their users, either.
>In fact, it's the people who aren't trusted, not just the programs.  I do
>agree, however, that most implementations of MLS are based on the Unix model
>where programs get the full authority of the account under which they run.

I agree the Orange Book is concerned with information flow, and not just
files.  While there is certainly no requirement that programs run with the
full authority of their users, part of the goal was to secure systems where
programs did.

The statement, "In fact, it's the people who aren't trusted, not just the
programs." is directly the opposite of the statement from one of the people
one the KeyKOS evaluation team.  (I think it was Deborah Downs, but my
memory may be faulty.)  The statement was, "Of course we trust the users.
After all, they have been cleared.  It's their programs we don't trust."
This view is in line with the old paper systems, where the users were

Bill Frantz       | Microsoft Outlook, the     | Periwinkle -- Consulting
(408)356-8506     | hacker's path to your      | 16345 Englewood Ave.
frantz@netcom.com | hard disk.                 | Los Gatos, CA 95032, USA