Steven M. Bellovin wrote:
> On Fri, 25 Aug 2006 23:13:40 +0200, Elad Efrat <elad@NetBSD.org> wrote:
>
>
>   
>> MLS (Multi-Level Security) is a rather vague (and big!) term. :)
>>
>>     
>
> Big, yes; vague, no.  (Btw, Biba uses the same sort of primitives to
> address integrity rather than confidentiality.  I could explain, but it
> would be a vast digression for this list.)
>
> I do think, though, that MLS solves a problem that no one has anymore.
> That is, it's a security mechanism designed (a) for mainframes, (b) with
> timesharing terminals if necessary, (c) mostly without networks, and (d)
> useful at most for the Defense Department, and generally not even for
> them.  It's quite useless for almost any other security situation, and
> doesn't even work for DoD in a world of PCs, all-seeing/all-dancing word
> processors (be they Microsoft Word or Emacs), and Web browsers..
>
> 		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>   

I don't agree with this.  There are applications where MLS is very
useful.  I've been involved with solutions involving them.  For example,
hypothetical scenario:

    Shipboard networks.  Each network is labeled.

    With MLS systems, you can have a single system at a workstation.  (A
single terminal.)

    With normal PCs, they have to deploy one workstation per level. 
This is very, very inconvenient.

The Navy loves Sun Ray systems running with a Sun Ray server running
TSOL.  They can deploy one thin client (end-to-end encryption, the
client is mostly a "dumb" terminal as you indicated), and one MLS TSOL
system.  Cuts down shipboard IT infrastructure considerably.  Plus, when
one Sun Ray fails, they just replace it with another one, no need to
load software or worry about destroying persistent storage, etc.

-- 
Garrett D'Amore, Principal Software Engineer
Tadpole Computer / Computing Technologies Division,
General Dynamics C4 Systems
http://www.tadpolecomputer.com/
Phone: 951 325-2134  Fax: 951 325-2191