double shot of snake oil, good conclusion
Tal Garfinkel
talg at cs.stanford.edu
Wed Mar 5 20:15:15 EST 2003
> DRM can't really control what humans do and there is no commercial
> value in saying that a document that I see cannot be printed or
> forwarded -- because it can.
I believe you are overlooking the assumed threat model, and thus the
value of document control systems like the one that Microsoft is
proposing.
The benefit of systems like this is to aid in managing the huge amounts
of confidential internal documents that enterprises generate and would
like to keep out of paper form, thus out of the hands of dumpster divers
and not left around on desktops, to prevent accidental propagation of
internal documents, etc.
Imposing access controls that rely on users not being explicitly
mallicous are not "snake oil" and are not a new idea, nor is the
recognition of their limitations. In systems that impose mandatory
access controls of the more traditional type (ala Bell LaPadula), the
user can always violate the *-property (i.e. no write down) by simply
typing information from a high level document into a lower level
document. Clearly, you could do the same thing with the system
Microsoft is proposing, but preventing this type of attack is not the
objective.
The value of these type of controls that they help users you basically
trust who might be careless, stupid, lazy or confused to do the right
thing (however the right thing is defined, according to your company
security policy).
--Tal
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list