[cap-talk] Semantics : is this a capability system & am I
using the right semantics?
Jed at Webstart
donnelley1 at webstart.com
Tue Apr 12 20:30:12 EDT 2005
At 05:13 PM 4/12/2005, David Hopwood wrote:
>Rob J Meijer wrote:
>>On Tue, 12 Apr 2005, David Hopwood wrote:
>>
>>>However, being required by the system design to partition capabilities
>>>into role-sets chosen in advance is quite limiting (unless the sets
>>>each contain a single capability and objects can assume more than one
>>>role-set; in that case it is not limiting, but is pointlessly complex).
>>The main goal of the system I am working on is creating an authorization
>>system with hooks for an incident response system. The incident response
>>system will to a great extent initiate role changes, for example changing
>>the role of a 'server', based on the fact that the server software is
>>determined to be either 'fully-patched', 'vulnerable', or 'compromized'.
<Did the above comment by Rob go to the list? I didn't see it.>
Perhaps we need another example. What fits most with me is
David's comment:
>...If the app <server> is already using least authority, then restricting
>its authority further *will* break things other than the vulnerable
>subcomponent.
I think this is a necessary situation. In the appropriate configuration
the server only has the authorities (e.g as capabilities) that it needs
to play it's required role. If the server software is determined to be
vulnerable enough that even that minimal set of authorities are too
many, then it just needs to be stopped until it can be repaired.
Perhaps there are other examples that aren't so cut and dried?
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list