

Are publicly readable access lists secure? - niels_olson

The scenario I'm thinking of is actually low tech, but I suppose the answer would be general. Let me explain the problem by way of example:<p>The university campus uses access lists signed by faculty to allow after-hours access to various office spaces, and security simply authenticates the student by comparing the human in front of them to the name and picture on the photo ID. The downside, which I just encountered, is that the access list letters may become outdated and so, in my case, I had to call the director of the lab and ask her to call security (naturally they didn't authenticate the caller :-D)<p>I was wondering, is it secure for, say, the chair of the physics department to submit a signed access list letter that simply points the security department to a URL on the physics department's website?<p>More generally, let's say there's a system where access is tied to an authentication system. If the authentication system involves a 1:1 token (like a photo ID or a password), and the access list is only writable by trusted members who are trusted through an entirely different mechanism (like the university's LDAP or physical access to a machine), is there any reason the access list itself can't be publicly readable (eg, posted on the website)?<p>So, in the case of the student trying to get into the lab on the weekend, is there any reason the department chair's access list letter couldn't read like this:<p>============================<p>From: Dr Heavy Duty, Chairman, Department of Physics<p>To: Lieutenant Cranky, Security<p>Subj: Access List for locked office spaces<p>please refer to the following URL for a continuously updated list of people I authorize access:&#60;<p>http://university.edu/Physics/AccessList<p>Signed /H Duty/<p>============================<p>I suppose there's a corner case where you don't want to allow physical access to the webserver based on an authentication list kept on the webserver, but even then, short of cold boot dumping memory, the server itself is pretty good at controlling access.<p>Thoughts?
======
qhoxie
It seems like there are two aspects to the proposed scenario when there might
not need be. The fact that a web based list is always up to date, and the idea
that it is publicly readable. These obviously do not go hand in hand, so it
seems like a good medium would be controlling access to the digitally managed
list.

To answer the question of public ACLs, it really just depends on the
situation. In a purely physical setting, it may not be as big of an issue,
although it does open the possibility for impersonation and forgery. In a
digital setting, it can be a very bad idea in cases where brute forcing and
the like are a possibility.

Also, not terribly important, but on the last point regarding physically
accessible servers: They are never really secure.

