Thanks Jeff.
Speaking of blockchains, let me toss out an idea that's been brewing for a
while.
While re-reading SP 800-63-2 for the current comment period
http://links.govdelivery.com/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTUwNDEwLjQzOTgwMzUxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE1MDQxMC40Mzk4MDM1MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTA3MzgxJmVtYWlsaWQ9U3Nob3J0ZXJAZWxlY3Ryb3NvZnQtaW5jLmNvbSZ1c2VyaWQ9U3Nob3J0ZXJAZWxlY3Ryb3NvZnQtaW5jLmNvbSZmbD0mZXh0cmE9TXVsdGl2YXJpYXRlSWQ9JiYm&&&100&&&http://csrc.nist.gov/groups/ST/eauthentication/sp800-63-2_call-comments.html,
I was reminded of the difference between strongly bound credentials and
weakly bound credentials. The strongly bound credentials bind the identity
to the token in a tamper resistant manner, e.g. the digital signature on a
X.509 certificate, while the weakly bound credentials bind in a way that
does not provide tamper resistance, e.g. /etc/passwd. The weakly bound
approach requires continuous secure operations by the service provider to
maintain integrity of their bindings (see paragraph 3 of section 7.1.1 for
discussion of this topic).
What I was wondering is whether blockchains could be used to strengthen
weakly bound approaches. For example, image a system where changes to
/etc/passwd results in a blockchain being updated in such a way that will
(1) confirm the integrity of the change and (2) log the identity of the
accountable user. Such a feature would enable a system audit to verify
that the current file is the result of a traceable sequence of authorized
changes.
I'm not sure I understand blockchains well enough to be sure this works,
but let me know if it makes sense and if anyone has heard of something like
this. I know of operating systems providing functions like this via system
auditing or at the filesystem layer, but that approach can still be
subverted through system compromise with privilege escalation.
Thoughts?
Thanks,
Scott
On Fri, Apr 17, 2015 at 10:53 AM, j stollman
All,
Attached is the ADEPT paper I mentioned on today's call.
I also include another long paper which points out several issues with blockchain technology. For much of the paper, the author creates straw man and then picks them apart. But he also raises some real points that are informative.
Jeff
--------------------------------- Jeff Stollman stollman.j@gmail.com 1 202.683.8699
Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck
_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot
-- ============================================================== *Scott Shorter, Principal Security Engineer* Electrosoft *–* Fueling Customer Success Through Outstanding Value and Trust! *Woman-Owned, Minority-Owned Small Business | ISO 9001 | CMMI Level 2 * 1893 Metro Center Drive; Ste 228; Reston, VA 20190 (703) 437-9451 x21 (office); (240) 994-7793 (cell) sshorter@electrosoft-inc.com (Email); http://www.electrosoft-inc.com (Web) ==============================================================