Re: [therightkey] Will the real RPF please stand up?

Thu, 16 Feb 2012 15:12:08 -0800 

At 11:02 PM -0800 2/9/12, Kyle Hamilton wrote:

On Wed, Feb 8, 2012 at 9:06 AM, Stephen Kent <k...@bbn.com> wrote:

So, I don't agree that the distinction between the user and a machine
operated by a user is really significant, in the end.  (Yes, I am ware of
the many security problems that arise because the user doesn't really know
what the code is doing, but nothing is perfect.)



I believe that there's a very good reason to separate them.  We're 
going to need to move to a system where we have effectively a 
separate UID per application, within the overarching user's UID. 
This is the only effective way to isolate the damage which one 
application can cause, and the only effective way to audit precisely 
which application did what damage.



I appreciate the potential benefit for per-app IDs vs. user/machine 
IDs, but given the sorry state of OS secruity, it's not clear that a 
per-app ID is really meaningful.



This is a recasting of Android's model, where the "user ID" is "the 
device's controller", and the applications themselves are assigned 
Linux UIDs so they can't interfere with each other.



I agree that credential portability is essential. [...]



Credential portability is overrated.  The real problem is credential 
equivalence.



PHB pointed out why credential portability is critical for encrypted 
e-mail. For many other apps, it is not so critical. I am not sure 
that equivalence is a good alternative, as mapping among multiple 
credentials creates an opportunity for additional secruity problems.





S/MIME with a private key shared to fifteen devices no longer looks
very secure to me.



S/MIME with a private key stored on a daemon system and unique 
private keys on each of fourteen accessing clients, on the other 
hand...


is not e-2-e secure and this less desirable.




Crednetial portability does not necessarily imply a private key kept in SW
in  every device.



Credential portability does, however, imply a private key or other 
authenticator must be handled in SW in every device.  Intermittent 
security is harder than complete security in a sufficiently complex 
system.



not true. many folks carry devices that could be used to store 
private keys that are used briefly, to unwrap keys.


Steve
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey























					Reply via email to