On Mon, Jul 27, 2009 at 01:53:07PM -0400, Chris Browne wrote:
> sam@samason.me.uk (Sam Mason) writes:
> > On Sun, Jul 26, 2009 at 01:42:32PM +0900, KaiGai Kohei wrote:
> >> Robert Haas wrote:
> >> In some cases, the clearance of infoamtion may be changed. We often
> >> have dome more complex requirements also.
> >
> > OK, so there is some other trusted entity that has unfettered access to
> > both databases and its job is to manage these requirements.
>
> No, that's not what this implies.
>
> What this implies is along the following lines...
>
> If a user at the "more secret" level updates some data that had been
> classified at a lower level, then that data gets reclassified at the
> higher level.
I still think it does; but maybe there are other ways of arranging
things. The problem seems to be that if each user only has write access
to their own level then the is no bound as to how far the two databases
will get out of sync with each other. Some way has to be made of
"declassifying" data and so bound the amount of difference between the
two. This declassification can not done by a normal user as they can
only write in their own level. This "trusted entity" has to exist to
punch a hole in the security to do something that wouldn't otherwise be
allowed to happen, information normally only flows "up" the hierarchy.
-- Sam http://samason.me.uk/