[E-Lang] draft statement of consensus

Karp, Alan alan_karp@hp.com
Wed, 7 Feb 2001 10:24:37 -0800 

Sorry about the "trusting people" part.  People were trusted to obey the
rules and not to divulge information to others who did not have the proper
clearance.  I had intended to say that people weren't trusted with
information from higher security levels.  Indeed, almost all of the Orange
Book addresses mechanisms to ensure that programs faithfully carry out the
information policies the people were trusted to obey.

_________________________
Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp/
 

> -----Original Message-----
> From: Bill Frantz [mailto:frantz@pwpconsult.com]
> Sent: Wednesday, February 07, 2001 10:08 AM
> To: Karp, Alan; Mark S. Miller; Marc Stiegler
> Cc: Jonathan S. Shapiro; E Language Discussions
> Subject: RE: [E-Lang] draft statement of consensus
> 
> 
> At 8:46 AM -0800 2/7/01, Karp, Alan wrote:
> >Actually, my reading of the matter is quite different.  I 
> believe the Orange
> >Book attempts to express in computer terms policies that 
> were in effect long
> >before computers were used to hold confidential information. 
>  This approach
> >is quite common, using a new technology to implement 
> existing procedures.
> >You'll note, for example, that the policies are information, 
> if not file,
> >specific.  They say little about invocation.  Instead, they center on
> >controlling information flow across security levels.  I 
> don't see anything
> >about assuming programs having the full authority of their 
> users, either.
> >In fact, it's the people who aren't trusted, not just the 
> programs.  I do
> >agree, however, that most implementations of MLS are based 
> on the Unix model
> >where programs get the full authority of the account under 
> which they run.
> 
> I agree the Orange Book is concerned with information flow, 
> and not just
> files.  While there is certainly no requirement that programs 
> run with the
> full authority of their users, part of the goal was to secure 
> systems where
> programs did.
> 
> The statement, "In fact, it's the people who aren't trusted, 
> not just the
> programs." is directly the opposite of the statement from one 
> of the people
> one the KeyKOS evaluation team.  (I think it was Deborah Downs, but my
> memory may be faulty.)  The statement was, "Of course we 
> trust the users.
> After all, they have been cleared.  It's their programs we 
> don't trust."
> This view is in line with the old paper systems, where the users were
> trusted.
> 
> 
> --------------------------------------------------------------
> -----------
> Bill Frantz       | Microsoft Outlook, the     | Periwinkle 
> -- Consulting
> (408)356-8506     | hacker's path to your      | 16345 Englewood Ave.
> frantz@netcom.com | hard disk.                 | Los Gatos, 
> CA 95032, USA
> 
> 
> _______________________________________________
> e-lang mailing list
> e-lang@mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/e-lang
>