RE: IP Address in the ACM (Was: Comments on Access Control Model - BNF)

["Paul Leach" <paulle@Exchange.Microsoft.com>]

Gee, this seems pretty complicated -- all for a mechanism known to be of
only limited secure applicability. Again, I object to making it
mandatory for compliance.

> -----Original Message-----
> From: Richard V Huber [mailto:rvh@qsun.mt.att.com] 
> Sent: Wednesday, April 11, 2001 2:12 PM
> 
> In terms of the resolution algorithm, it seems farily easy to 
> change it to do what Bob is talking about.
> 
> Just change it so that ipAddress has no explicit precedence 
> of its own.  The algorithm should go in precedence order 
> through the list of Subjects within a Scope (excluding 
> ipAddress).  At the completion of the processing of Subjects 
> within a Scope, any applicable ACI with ipAddress as subject 
> should be added to the list that is passed on to the next 
> step.  Since deny has precedence over grant, this means that 
> ACI with ipAddress subject can only deny access; it cannot grant.
> 
> In my version of the Access Decision Algorithm, you would 
> remove ipAddress (and DNS name?) from the list of Subjects 
> within a Scope and add a step 2a after step 2:
> 
>   2a. If there are any applicable ACI values with subject of type
>       ipAddress (or DNS name?), add them to the list at this point.
> 
> Note that adding this as a separate step means that the part 
> of step 2 that says "If no ACI values remain after processing 
> all Subject Types, access is denied" is processed before the 
> new step.  Thus access is denied and the ipAddress has no 
> effect if there is no applicable ACI other than the one(s) 
> based on ipAddress.
> 
> If we are going to use ipAddress as a subject I prefer this 
> to the original scheme.  With the original scheme a "grant" 
> associated with an ipAddress subject was a very dangerous thing.
>