Thanks Jeff. Speaking of blockchains, let me toss out an idea that's been brewing for a while. While re-reading SP 800-63-2 for the current comment period <http://links.govdelivery.com/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTUwNDEwLjQzOTgwMzUxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE1MDQxMC40Mzk4MDM1MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTA3MzgxJmVtYWlsaWQ9U3Nob3J0ZXJAZWxlY3Ryb3NvZnQtaW5jLmNvbSZ1c2VyaWQ9U3Nob3J0ZXJAZWxlY3Ryb3NvZnQtaW5jLmNvbSZmbD0mZXh0cmE9TXVsdGl2YXJpYXRlSWQ9JiYm&&&100&&&http://csrc.nist.gov/groups/ST/eauthentication/sp800-63-2_call-comments.html>, I was reminded of the difference between strongly bound credentials and weakly bound credentials. The strongly bound credentials bind the identity to the token in a tamper resistant manner, e.g. the digital signature on a X.509 certificate, while the weakly bound credentials bind in a way that does not provide tamper resistance, e.g. /etc/passwd. The weakly bound approach requires continuous secure operations by the service provider to maintain integrity of their bindings (see paragraph 3 of section 7.1.1 for discussion of this topic). What I was wondering is whether blockchains could be used to strengthen weakly bound approaches. For example, image a system where changes to /etc/passwd results in a blockchain being updated in such a way that will (1) confirm the integrity of the change and (2) log the identity of the accountable user. Such a feature would enable a system audit to verify that the current file is the result of a traceable sequence of authorized changes. I'm not sure I understand blockchains well enough to be sure this works, but let me know if it makes sense and if anyone has heard of something like this. I know of operating systems providing functions like this via system auditing or at the filesystem layer, but that approach can still be subverted through system compromise with privilege escalation. Thoughts? Thanks, Scott On Fri, Apr 17, 2015 at 10:53 AM, j stollman <stollman.j@gmail.com> wrote:
All,
Attached is the ADEPT paper I mentioned on today's call.
I also include another long paper which points out several issues with blockchain technology. For much of the paper, the author creates straw man and then picks them apart. But he also raises some real points that are informative.
Jeff
--------------------------------- Jeff Stollman stollman.j@gmail.com 1 202.683.8699
Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck
_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot
-- ============================================================== *Scott Shorter, Principal Security Engineer* Electrosoft *–* Fueling Customer Success Through Outstanding Value and Trust! *Woman-Owned, Minority-Owned Small Business | ISO 9001 | CMMI Level 2 * 1893 Metro Center Drive; Ste 228; Reston, VA 20190 (703) 437-9451 x21 (office); (240) 994-7793 (cell) sshorter@electrosoft-inc.com (Email); http://www.electrosoft-inc.com (Web) ==============================================================