RE: Secure Chrome and Secure MetaData

> From: Drew Dean [mailto:ddean@yahoo-inc.com] 

> To follow up on Phil and Mary's points:
> 
> I find it rather interesting that there's been no discussion 
> of the Compartmented Mode Workstations (CMW) of the 
> 1980s-1990s.  While they aren't a shining example of success, 
> unambiguously displaying the  
> security label of a window is exactly the "secure chrome" problem.   
> If we don't study history, we'll be condemned to repeat it....

I agree that this is a very attractive approach for some problems. For example Civilization IV refuses to run without full admin privs. I don't want to give admin privs on the machine but I would allow full admin privs on a virtual machine that had no ability to affect anything outside its scope.

This is simply good old compartmentalized security.


> I mostly, but not entirely, agree with Phil's ruling platform 
> attacks out of scope.  I agree that solving that problem 
> isn't our problem, but think that we can reasonably specify 
> requirements on the platform at and below us (i.e., browser & 
> underlying OS) to support a trusted path of some sort.  The 
> details, however, should be out of scope -- and may/probably 
> be implementation dependent, so there's not much to standardize.

I think that we can have a wide ranging discussion and we should discuss the requirements interfaces across the entities. For example CardSpace (nee Infocard) is bolted into the Vista O/S and that is a large part of the attraction.

What we do need to do though is to exclude all comments of the form 'this is not going to work because of [out of scope attack]'. The answer to that has to be 'that topic is out of scope for this forum'.

On the other hand I would very much welcome someone who did a security analysis of the latest Internet Crime Attack 'Phuming' in which they identified six components that relate to topics that are in scope and another ten that turn out to be out of scope. Just don't suggest that this is the place to solve those problems or that the group should do nothing until the problem is solved.

The point is to deliver on a tightly focused statement of work, not to solve every problem in this space. 

			Phill

Received on Tuesday, 20 June 2006 21:43:47 UTC