Path: utzoo!utgpu!water!watmath!clyde!bellcore!rutgers!mailrus!uwmcsd1!ig!agate!ucbvax!INDYVAX.BITNET!IMHW400
From: IMHW400@INDYVAX.BITNET
Newsgroups: comp.os.vms
Subject: Re:  Network-wide identifiers
Message-ID: <8807081442.AA16870@ucbvax.Berkeley.EDU>
Date: 24 Jun 88 13:24:00 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 27

[EVERHART%ARISIA.decnet@GE-CRD.ARPA suggests a scheme for propagating security
identifiers across DECnet.]

Two thoughts on your interesting proposal:

o       Maybe the new Distributed Name Service can help out somehow?  It
        could make the identifiers' names and values known throughout the
        network, which is a start.

o       A less flexible approach can be had without so much network traffic.
        A set of identifiers {NOT_IN_AREA, NOT_SAME_IDP, NOT_TRUSTED} can
        be implemented using only information available to the service process'
        node, by examining the requestor's address.  Only NOT_TRUSTED requires
        more overhead than a longword or string comparison.  While this
        does not allow the control of individual users' access, it *does*
        allow you to lock your files against the most likely sources of
        annoyance:  other network areas (divisions?), other networks
        (organizations?), and any node known to have many holders of TWIT.
        If you don't mind some more table-lookups, you could have tables
        of trusted areas and IDPs as well.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Mark H. Wood    IMHW400@INDYVAX.BITNET   (317)274-0749 III U   U PPPP  U   U III
Indiana University - Purdue University at Indianapolis  I  U   U P   P U   U  I
799 West Michigan Street, ET 1023                       I  U   U PPPP  U   U  I
Indianapolis, IN  46202 USA                             I  U   U P     U   U  I
[@disclaimer@]                                         III  UUU  P      UUU  III