tech-security: Re: Systrace policy fingerprints? (Re: finer grained IPNOPRIVPORTing)

Subject: Re: Systrace policy fingerprints? (Re: finer grained IPNOPRIVPORTing)
To: Brett Lymn <blymn@baesystems.com.au>
From: Simon J. Gerraty <sjg@crufty.net>
List: tech-security
Date: 06/01/2005 00:42:01

On Wed, 1 Jun 2005 09:42:39 +1000, Daniel Carosone writes:
>
>--NgG1H2o5aFKkgPy/
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>Content-Transfer-Encoding: quoted-printable
>
>On Tue, May 31, 2005 at 04:33:11PM -0700, Simon J. Gerraty wrote:
>> >cases). If multiple signers were required before an executable was run
>> >then you would be able to enforce a "two man" rule if that was
>> >required.
>>=20
>> But who needs that?
>
>Consider the case where the two signers are "original third-party
>vendor" and "internal approver" (ie, QA or Change Control).

But you could achieve much the same result far simpler by simply
requiring a signature from the "internal approver" (ie, QA or Change
Control).  Ie. 90% benefit for 10% effort.

--sjg