IMHW400@INDYVAX.BITNET (06/24/88)
[EVERHART%ARISIA.decnet@GE-CRD.ARPA suggests a scheme for propagating security
identifiers across DECnet.]
Two thoughts on your interesting proposal:
o Maybe the new Distributed Name Service can help out somehow? It
could make the identifiers' names and values known throughout the
network, which is a start.
o A less flexible approach can be had without so much network traffic.
A set of identifiers {NOT_IN_AREA, NOT_SAME_IDP, NOT_TRUSTED} can
be implemented using only information available to the service process'
node, by examining the requestor's address. Only NOT_TRUSTED requires
more overhead than a longword or string comparison. While this
does not allow the control of individual users' access, it *does*
allow you to lock your files against the most likely sources of
annoyance: other network areas (divisions?), other networks
(organizations?), and any node known to have many holders of TWIT.
If you don't mind some more table-lookups, you could have tables
of trusted areas and IDPs as well.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Mark H. Wood IMHW400@INDYVAX.BITNET (317)274-0749 III U U PPPP U U III
Indiana University - Purdue University at Indianapolis I U U P P U U I
799 West Michigan Street, ET 1023 I U U PPPP U U I
Indianapolis, IN 46202 USA I U U P U U I
[@disclaimer@] III UUU P UUU III