[cap-talk] the prize - risks w. "password capabilities",
jed at nersc.gov
Mon Oct 25 19:18:59 EDT 2004
At 02:58 PM 10/25/2004, Karp, Alan H wrote:
>Jed Donnelley wrote:
> > However, as I understand the functioning of "object capabilities" if
> that same
> > capability was invoked by another process (e.g. David received it in a
> > from Bob and invoked it), it would still appear as "Bob's" capability
> > capability) and would not be distinguished as coming from the David path.
>I don't know if you can do this with object capabilities; I know we
>didn't within an e-speak machine. Instead, let's talk about the network
>case. When Alice sends a capabiltiy to Bob on the Alice-Bob connection,
>an entry mapping the bits sent to the corresponding capability is
>entered into a table for that connection. If Bob forwards those bits to
>David, David can present them to Alice, but there will be no entry in
>the table for the Alice-David connection. Therefore, if David wants to
>use the capability, Bob will have to proxy for him. In this case, the
>request comes from Bob on the Alice-Bob connection. If David learns the
>bits by nefarious means, they won't do him any good unless he can also
>convince Bob to proxy his requests. What I described here is exactly
>what is done in E, except that E has one mapping table per vat instead
>of one per connection. In the E case, knowing the bits enables David to
>use the capability without involving Bob.
It seems to me this discussion is getting somewhat confused because
different levels are sometimes getting mixed. We can speak of communication
of capabilities (rights) and communication of data (perhaps including
parts of the internal representation of a capability to be sure),
but of course communicating the representation of a capability
at some point may well not communicate the right that the
capability's representation conveys from one context to another.
The "prize" that I am shooting for is the ability to communicate rights
fully, exactly, ... - independent of where the source and destination
are. Anybody that wishes to proxy and/or audit or restrict (e.g.
with revocable rights or rights that time out or whatever), etc. a right
before communicating it may of course do so. That would depend on
the intended use of the communicated right, the trust of the receiver, etc.
However, I don't believe any such restrictions or policies should be tied
into the fundamental underlying rights communication mechanism.
E.g. I may want to communicate a full and unaudited right remotely
and I may want to communicate a very restricted, fully audited and
revocable (etc.) right locally.
> > Are we thinking along the same lines here? Perhaps Alan can clarify
> > he was meaning the term "path based" to mean that the service depended
> > on the path in a network sense to the server or perhaps in the proxied
> > sense that I'm guessing Charlie is meaning. Apologies in advance if I
> > muddled this.
>I think you got it pretty much right, at least for the networked case.
More information about the cap-talk