[cap-talk] disputing the slam against network
capabilities, esp. confinement/auditing
jed at nersc.gov
Mon Oct 25 18:43:30 EDT 2004
At 02:14 PM 10/25/2004, Karp, Alan H wrote:
> > -----Original Message-----
> > From: cap-talk-bounces at mail.eros-os.org
> > [mailto:cap-talk-bounces at mail.eros-os.org] On Behalf Of Jed Donnelley
> > Sent: Friday, October 22, 2004 7:55 PM
> > To: General discussions concerning capability systems.
> > Subject: RE: [cap-talk] disputing the slam against
> > networkcapabilities, esp. confinement/auditing
> > At 11:54 AM 10/18/2004, Karp, Alan H wrote:
> > >There are no undetectable or unauditable capabilities in a "capability
> > >as designators" system. The clist held in the "TCB" (I don't like the
> > >"universal" qualifier; it sounds too much line it applies to the whole
> > >universe of systems.) tells you everything the process can do. Whether
> > >or not that information is available to a user is open to question.
> > With regard to communication between mutually suspicious processes
> > (generally as between Alice and Bob) there can of course be no assumption
> > that Alice (or anybody) has access to Bob's c-list. I see this notion
> > of auditability as nearly useless for this "prize" of secure communication
> > between mutually suspicious processes.
>Alice's machine can have a process acting as a proxy for Bob that has a
>clist containing all the rights that Alice has passed to Bob. If all
>uses of that capability go through that proxy, no matter who uses them,
>then Alice's machine will have the same information about her rights
>that it has in the local case. In this case, all remote users of the
>capability are lumped into a single logical unit, which is probably the
>best you can do.
Of course if Alice wishes to proxy all the rights that she passes to
Bob (whether Bob is local or remote) that is her choice. She may
also audit any such capabilities. This is true whether she is using
a capabilities as descriptors model (where did the "designators" term
come from?) or capabilities as data, whether the capabilities are
communicated locally or across a network.
Perhaps I've lost the focus of this thread? Is there a difference of opinion
somewhere that I'm missing?
More information about the cap-talk