From: The Purple Streak (Hilarie Orman)
In the case of the user's perogatives being subverted (errh, subsumed)
by his local administrator, the security viewpoint here is that the
end user has already "delegated" his authority to the local
administrator (color me data consumer), and thus, OPES is not
interfering with any ability that was not previously compromised.
I.e., OPES can avoid interfering but it cannot fix the world.
You are right, but this means OPES should adapt to this imperfect world.
Situation with trust/administrative authority being different from the end
user (in the sense of end point of data reception) is completely valid and
should be explicitly included in the security considerations. This
configuration essentially means that there may be an intermediate point in
the data path that has higher authority than end point. And symmetric
configuration for CDN also moves "ultimate authority point" downstream in
the data flow.
I suggest to change the security model by introducing start of authority and
end of authority points different from the start and the end of data flow.
All the notion of end-to-end should be adjusted to the situation when
dataflow path and authority propagation path are different. This is
different from the proposed model:
3.1 Trust Domains
The delegation of authority starts at either a data consumer or data
provider and moves to more distant entities in a "stepwise" fashion.
These "higher authority" points may specifically limit Tracing/enquiry
abilities of the end user.
On the other hand tracing should support the ability to find the source of
One more security mechanism to consider in addition to tracing is reporting.
For example the data source may include a request to the end user to report
specific change notifications. Or the end user may (automatically?) report
suspected problems to the source of authority.