[cap-talk] the prize - risks w. "password capabilities",
"pathbased"
Karp, Alan H
alan.karp at hp.com
Tue Oct 26 16:27:01 EDT 2004
Jed Donnelley wrote:
> ). However, once we get up to the level of assuming we
> have communicated a capability then that right itself
> can not be "channel based". If Bob receives a capability
> he must be able to send it on if need be just like Alice
> did when originally communicating to Bob. Underneath
> the covers there may be something going on that binds
> the representation of the capability when it gets to Bob
> to a channel (address) that Bob communicates on, but
> from Bob's perspective he just has a right that he can
> exercise and/or communicate to others.
>
So far, I agree, but I expect that there's something you left out. If
Bob passes a capability that he got from Alice to David, and then Bob's
machine is shut down, I'm sure that you expect David to be able to use
Alice's capability. That implies that the capability carries with it a
means to reach Alice as well as being invoked on the Alice-David
connection. That's a wonderful way to build a system as long as David
can't use the capability if he surreptitiously read it from Bob's
machine. As you've shown, that can be done.
We chose to build a different system. In our system, Bob could choose
to mediate all requests on that capability between Alice and David. In
this case, as far as David knew, Bob was the provider of the right. If
Bob's machine failed, David lost access to the resource exactly as he
would were Bob the provider. If Bob did not want to mediate these
requests, he would introduce Alice to David. This introduction provided
the means for David to contact Alice. I think we settled on this
approach because of our enterprise background. Bob could be a process
on a corporate gateway machine that mediated all requests from inside to
outside the company.
We also considered a variety of use cases from the virtual enterprise.
Say that Alice shares a right with Bob in a supplier's company. Say
that Bob is subcontracting part of the work. Whether or not he passes
Alice's capability on to David should not affect Alice in any way, even
to the extent of setting up a separate connection for David. Bob is
always free to introduce David to Alice, but this introduction is a
matter of policy, not architecture.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Type: text/x-vcard
Size: 433 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20041026/b91a3ed2/KarpAlanH.vcf
More information about the cap-talk
mailing list