CORBA34 — Firewall POA Policy does not control access

Summary: In orbos/98-07-03 4.9 it says "However, it is desirable to provide a
portable means by which the object implementor can decide whether an
object could be accessible through a firewall. The following POA
policy is defined for this purpose:" but this policy can at most
control what components are included in references created by the
POA. Since the references do not have any mechanism to defend against
forgery, exclusion of a FirewallMechanism component does not prevent
access through a firewall. If an attacker obtains some other reference
with the FirewallMechanism component(s), it can convert a reference
created under NO_EXPORT into the reference that would have been
created under EXPORT.

The description of the policy needs to be changed to make it clear
that the policy does not imply any access control enforcement. The
ability of an attacker to forge references, either by combining parts
of other references, or otherwise, should be explicitly stated as a
security issue that must be addressed by means outside this
specification.

Deferred

This proposal was generated automatically by request of the Task Force Chair Adam Mitz.