The Hazards of Data Caching

As previously mentioned, a DSA may, under certain circumstances, pass an operation request on to other DSAs until a DSA is found which contains the DIB information needed to respond to the request. The response is then ``chained'' back through each of the DSAs that propagated the request. There is, therefore, always the possibility that a propagating DSA may copy the request or the response, or both. Subsequently, that DSA could disclose information from the result without enforcing ACLs defined in the DSA that generated the result. Allowing results to be passed back through a DSA chain may, therefore, result in violations of an organization's security policy.

This does not mean, however, that all replication of DIB data must be banned; such a ban is probably impossible to enforce and would cause the loss of advantages afforded by replicated data in a distributed database environment (advantages include increased availability of data and reduced response times). The new edition of the Directory standard contains another new feature called shadowing which provides a disciplined way to replicate data such that security policy is not violated. When information is shadowed, the standard specifies three important requirements:

1. each unit of replication shall include all relevant ACLs; and
2. each DSA using shadowed information shall enforce relevant ACLs exactly as they are enforced in the DSA that provided the shadowed information; and
3. shadowed information shall not be modified (only the master copy of each entry may be modified).

A shadowing agreement also addresses how often the shadow is refreshed and which DSA is responsible for providing refreshed data.

However, even in implementations of the new standard, DSAs can still choose to copy distributed operation results and thereby gain copies of DIB information which do not include the relevant ACLs. This form of undisciplined replication is referred to as results caching. The potential problem for security authorities is that there is no effective way for the standard to preclude it.

Security policy should, therefore, address the problem of caching and provide policy guidelines about whether or not it is deemed a serious threat. In cases where it is considered to be a serious threat, Security policy can specify that measures are to be taken to avoid caching. Such measures can include requirements such as:

• results may only be passed back through a chain of ``trusted'' DSAs (each DSA contains an internal list of trusted DSAs as previously discussed);
• when a chain cannot be trusted, the DSA may refuse service or return a referral to itself (as discussed in the section on ``Use of Authentication Service'').