[Date Prev][Date Next][Thread Prev][Thread Next][Author Index][Date Index][Thread Index]

Archiving enhancement and insecure BeBe



Abstract: A while ago I added a request to the spec for archiving, and
I'm only now getting around to writing it up.  The result of the
enhancement is that we can do BeBe between partially trusting sites.

If you'll recall, anyone could make a believable copy of stuff in a
backend (that they can read).  They could then take the copy to the
system administrator of another backend who could then install it.
This would let a user transfer documents from backend to the other and
have the receiving system believe the originating system.

There's a particularly common usage that we want to support:  I take a
bunch of documents home, play around with them on my home system, and
bring them in the next day to the original system.  In the process
I've generated new versions of existing documents, new links, etc.
The simple solution to this is to have each system believe anything
*I* say with respect to documents generated on the other system.
Since each XID has the originating system ID built in, I could
transfer documents generated on my home machine to the office machine
without any problem.  Presumably I can already do anything I want to
my home machine, so not believing me wrt its contents makes no sense.

This is secure because only I can make the office machine believe
anything about the state of my home machine, and vice-versa.
Likewise, all my coworkers can make the office machine believe
anything about their home machines.

Some things are still difficult.  I'll propose simple solutions, and
you can recompute the problems.  I may have to endorse everything on
the office system once I bring it back because my user-id at home is
differeent from my office user-id.  I have to hop any berts that I
took home with me because I can't directly reimport them, and hadn't
actually grabbed them in the first place.

More later...
dean