[cap-talk] What are caps good for? "Encapsulation"? POLA vs.
confinement - long, but with some meat
alan.karp at hp.com
Fri May 14 19:33:58 EDT 2004
Jed Donnelley wrote:
> >It will fail even if they both proxy since no single request
> can carry
> >both capabilities.
> In that case apparently it would fail even if both capabilities were
> passed directly also? I'm still trying to tease out any relevance
> to the "don't share" (delegate, whatever, any effort to restrict the
> right to share any received capability over any open communication
> channel). Sorry for laboring such a seemingly minor point.
Not at all. It's helping me clarify my thinking. MarkM uses rights amplification to create digital money as in http://www.erights.org/elib/capability/ode/ode.pdf, but I had to work hard to understand it.
A simpler example is encrypted data. Say that I have a capability to an encrypted file, F, and one to the decryption key, K. The contents can be read by F.decrypt(K). I can give K to Alice and F to Bob. If these capabilities can't be delegated, my data stays private even if both Alice and Bob proxy for Carol. If I trust Trent, I can give him both F and K, and the command will succeed for him.
Sorry for the delay in responding. I spent most of the afternoon googling for a good example. It's amazing the amount of confusion out there. Most of the entries refer to rights amplification to attack master keys for door locks. Others treat Unix setuid as a form of rights amplification, which it might be, but not from a capability perspective.
Technical Computing Research Group
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Alan H Karp.vcf
Size: 774 bytes
Desc: not available
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20040514/8051cc0b/AlanHKarp.obj
More information about the cap-talk