Re: Trusted Unices Aren't?

["Paul D. Robertson" <proberts () clark net>]

On Fri, 30 Oct 1998, David Collier-Brown wrote:

>       Methinks the initial hurdle is too high, as measured 
>       in dollars.
>
>       MAC, trusted path and some related work, applied to
>       a non-trustable OS, might make a very nice kind of
>       web server. In fact, if there was a credible standard
>       and an implementation, it would make a good combined
>       server and firewall.  

It seems to me, and maybe the practicality aspects aren't something I've 
given enough thought to - but here's a chance to "raise the bar" on 
secure systems in an open environment.  I think that for application 
servers, especially in a VPN world, per-service protection is very 
necessary.  I also happen to think that as we evolve firewalls forward, 
this kind of thing scales nicely to proxing certificates, and producing 
real per-user, per-service trust models.  Administration is still a 
nightmare, but with a free implementation we have a chance to play with 
that and hopefully get significantly interesting implementation ideas 
out.  

>       Borrowing from the ``medieval city'' metaphor, the
>       machine would serve as the gate, the public market 
>       inside the gate, and the gate in the inner marketplace
>       wall. You still have to hire some spear-carriers
>       to stand at the gate and catch theives, though.

Certainly, but you'd rather the gatekeepers had strong spears and a good 
portcullis than a hole in the wall and a stick.

One of the things I haven't seen any comments on that I was hoping to see 
was some thoughts on the fact that here's an implementation that has none 
of the "evaluation baggage" people are always complaining about, and none 
of the pricetag or restrictions that typically come with such systems.  
Maybe it's just not interesting to INFOSEC people anymore to persue the 
model?

If the freeware OS market stands even a 5% chance of raising the bar on 
system-level security enough that the payware OS' have to follow, it 
seems worth-while to me.

VPNs, telecommuters, extranets, and all the other things we're being 
avalanched with necessitate per-service security policies instead of 
per-network ones, I see this as a probable avenue into that realm.  
There's enough code in the system now to do good things, and enough left 
to do to shape what can be done.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280