On 17 Apr, Jan Harkes wrote:
+-----
| On Mon, Apr 17, 2000 at 08:26:33AM -0700, Linda Walsh wrote:
| > These are some basics from CAPP that may explain
| ...
| > events which occur within the system. The CAPP provides for a level of
| > protection which is appropriate for an assumed non-hostile and well-managed
| > user community requiring protection against threats of inadvertent or
| > casual attempts to breach the system security.
| ...
|
| LUIDs are not very useful for these stated goals because;
|
| 1- They don't keep track of people who managed to breach security by
| _avoiding_ the identification and authorization steps.
+--->8
Hm. CAPP appears to have altered goals from C2: C2 was to detect
*internal* security breaches on an assumed-externally-secure system,
and indeed its auditing provisions are not suitable for detection of
external threats.
If CAPP truly targets external threats, then I think we should indeed
bypass it as a completely misdesigned system for such.
| 2- if the perpetrator recovers a password (sniffing/social-engineering/
| rubber-hose tactics), his actions are indistuiguishable from those
| made by the real user.
+--->8
True, but there's no solution to this problem anyway.
| Well, your authorization is not my authorization. Someone can be logged
| in but not authorized as far as kerberos and Coda are concerned. The
+--->8
That's part of my first comment: C2, from which CAPP is descended,
explicitly *does not cover* networked systems. Not even
"intranet"-connected systems. C2 would need a major reworking to even
begin to address such.
I am starting to agree that CAPP is a trainwreck....
I will concede the point about LUIDs per se; it looks like CAPP has
generalized them somewhat. However, keep in mind that the more complex
the mapping of a user identity, the more suspect it is from an auditing
standpoint.
| the right granularity for reliable audits. Maybe it then becomes close
| enough to the AFS PAG concept that Coda can use it for it's user-subject
| identity binding as well.
+--->8
You still disallow multiple security contexts (PAGs) within a single
user session with such a design, whereas PAGs were designed
specifically to support them. You *should not* restrict PAGs to
implement this; you want a different identity mechanism.
-- brandon s. allbery os/2,linux,solaris,perl allbery@kf8nh.apk.net system administrator kthkrb,heimdal,gnome,rt allbery@ece.cmu.edu carnegie mellon / electrical and computer engineering kf8nh We are Linux. Resistance is an indication that you missed the point.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:11 EST