[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: IP Address in the ACM (Was: Comments on Access Control Model - BNF)
Gee, this seems pretty complicated -- all for a mechanism known to be of
only limited secure applicability. Again, I object to making it
mandatory for compliance.
> -----Original Message-----
> From: Richard V Huber [mailto:rvh@qsun.mt.att.com]
> Sent: Wednesday, April 11, 2001 2:12 PM
>
> In terms of the resolution algorithm, it seems farily easy to
> change it to do what Bob is talking about.
>
> Just change it so that ipAddress has no explicit precedence
> of its own. The algorithm should go in precedence order
> through the list of Subjects within a Scope (excluding
> ipAddress). At the completion of the processing of Subjects
> within a Scope, any applicable ACI with ipAddress as subject
> should be added to the list that is passed on to the next
> step. Since deny has precedence over grant, this means that
> ACI with ipAddress subject can only deny access; it cannot grant.
>
> In my version of the Access Decision Algorithm, you would
> remove ipAddress (and DNS name?) from the list of Subjects
> within a Scope and add a step 2a after step 2:
>
> 2a. If there are any applicable ACI values with subject of type
> ipAddress (or DNS name?), add them to the list at this point.
>
> Note that adding this as a separate step means that the part
> of step 2 that says "If no ACI values remain after processing
> all Subject Types, access is denied" is processed before the
> new step. Thus access is denied and the ipAddress has no
> effect if there is no applicable ACI other than the one(s)
> based on ipAddress.
>
> If we are going to use ipAddress as a subject I prefer this
> to the original scheme. With the original scheme a "grant"
> associated with an ipAddress subject was a very dangerous thing.
>