[Zope-PTK] PROPOSAL: A Confidence Mechanism in User Role Management

Andrew Wilcox circle@gwi.net
Wed, 09 Feb 2000 16:45:24 -0500


I think I would find the calculated confidence value confusing when trying
to figure out what permissions would actually be granted to which users
under what conditions, at least as I understand the proposal.

     "What?! Someone downloaded our top secret data using a password they
were able to sniff from the network because it was sent in cleartext??"

     "Yeah well, a few weeks ago I thought I might boost the confidence
value a little bit for people who used hard-to-guess passwords, you know,
if they put in lots of numbers and uppercase letters and stuff, but I
didn't realize it would boost the confidence value past the 70% point which
allows access to top secret data when combined with the confidence boost
they get for being on an internal LAN IP addresss, sigh..."

Of course, this may merely be an indication that I shouldn't be working in
the security office :-)

The idea of constraints is great.  That allows a security policy to
actually enforce a requirement such that sensitive functions can only be
accessed over a secure channel.

Automatic escalation of the required security of the login to make a role
transition is cool, but a word of caution for the admin who naively marks a
"manager" role as needing "https", and thinks that makes the access secure.
 Guess what?  Unless I have to use a different password, I just logged in
ten minutes ago on cleartext http with the same password.

What about an enumeration of things that someone might care about in a
security policy:

  -  has the user actually provided credentials, or are we just guessing
who they are based on a cookie or whatever at this point.

  -  was authentication (i.e. the password) sent using a secure mechanism?
Or more precisely, never gets sent insecurely?

  -  is there someone vouching for a connection between the identification
(such as a username) and the actual identity of the user?  (employer
vouches for employees, friends for friends, perhaps some certificate
authority checks driver's license)

  -  can a user let their account be used by a friend, relative, or
collegue (probably)


Andrew