CRBAC An Introduction
CRBAC: cinnamon-roll-based access control
Convener: Justin Richer, Eve Maler
Notes-taker(s): Eve Maler
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps: Trebuchet 11
Source material: beautiful cinnamon roll
Source material: UMA2 slides
The notion of CRBAC came from an UMA2 presentation of last year.
The Winter Soldier (Bucky Barnes — two identities!) is a precious cinnamon roll, it turns out. What if you had a system that could handle someone, like him who, it turns out, was brainwashed and didn’t know who he was?
Sometimes he’s a reasonable person to allow access to, and sometimes he’s really not.
A guy in NYC started asking people in stores if he could get the “nice guy discount”. One time out of five he got a discount! The real world is malleable; the digital world, not so much.
At Consumer Identity World on a consent panel, Justin contended that consent in the real world is straightforward: you let something happen and you’re okay with it. It’s not always explicit. Trouble happens when the reading of it is in opposition to events. In digital systems, subtlety goes awry and we get lots of checkboxes.
Could we have a system where somebody is a precious cinnamon roll and they’re okay?
Thought this was going to be about RBAC! Getting away from binary yes/no sounds great. Binary yes/no leads to a lot more no’s than yes’s. Where would one of these systems be most useful? It would be a huge improvement.
This is not the same thing as contract-bound employee access to lots of stuff. Sure, there are people who know how to “work the system” and get a better work laptop.
This isn’t about “prove you are you”. This is about “you are awesome and you grant unto others the right to give you stuff”. It’s like hotel room rates.
Frank Abagnale, the guy who spoke at CIS, got all the “nice guy discounts”. In a digital world, it’s the lack of clarity and nuance, and the explicitness that these systems have. In the real world (ahem), if you want to wield Mjolnir, you have to be worthy. How do you define worthy? Some attributes aren’t checkbox-y.
Would behavioral analysis be relevant here? Absolutely. Also the ability to game systems. You can go a long way with the right look and a lot of confidence — that’s why they call it a confidence game. That’s why we’re scared of having digital systems be expressive in this way.
Some cases are higher-consequence than others. Gaming a TSA line is different from getting a discount or not. We often treat digital systems as if they’re always the most important thing ever and we sometimes don’t have good ways of modeling risk.
Sounds like this is complementary to risk-adaptive access control. If the risk is high, you’d better be a really precious cinnamon roll.
This sounds like multi-source signaling for access control, where there’s no limit to the number of sources. It’s sort of heuristic. This works quite well in meatspace, regarding things like reading faces. Risk and fraud analytics do get used.
A lot of our social systems are built around such signals. Digital systems aren’t yet this sophisticated. Or is that true? Ad systems seem to have gotten sophisticated. They’re just not working entirely on our behalf.
The physical world enforces scarcity, while the virtual world doesn’t.
Can the digital world even have precious cinnamon rolls? Doc made the points that in the virtual world there’s no “distance” as there is in the physical world. The “nice guy” discount is actually unfair and inconsistent. As engineers we don’t tend to think about building such systems. The PCR is nondeterministic. Although, ironically, an awful lot of identity systems are made to be loyalty systems.
Sometimes, when you’re shopping online, you have no idea you’re getting a discount. Sometimes you’re just dealing with incomplete information and trying to figure out what you’re dealing with, so it’s not about unfairness.
Judith shared the headline of an article from 2014 discussing a machine learning algorithm that identified which customers to give steeper discounts to: the PCR algorithm! And the Wall Street Journal recently started giving free access once again to articles to some people, if it determined that it can upsell a subscription to them.
The property of Bucky that makes him a PRC is very context-dependent, because as soon as he hears those 17 words, he changes.
Do you need to be a PCR just to exist? “I’m sorry, you need to be a PRC to vote.” Digital identity is becoming a forced intermediary to important life activities. That is a big problem.
Then again, if everyone is a cinnamon roll, is anyone a cinnamon roll? How does one even learn how to become a PCR? How does one protect against discovery?
What you need to be in order to be a PCR is different for every store clerk.
What we appear to mean here by PCR is describing the application of stereotypes. Inferences are already being made by every system. An idea brought up yesterday was that the notion of “self-owned identity” is a misnomer; identity exists only in relationship.
Then there is a web-of-trust notion where a community can say who I am. “The Internet has decided that Bucky is a cinnamon roll, and that Falcon mostly is.
The Internet is not as forgetful as the store clerk. It’s in your best interest to remember who was a PCR last time. “If the Internet were more forgetful, it would be more benign.”