[cap-talk] Semantics : is this a capability system & am I using the right semantics? (fwd)

Rob Meijer capibara at xs4all.nl
Wed Apr 13 03:41:02 EDT 2005 

On Tue, 12 Apr 2005, Jed at Webstart wrote:

> <Did the above comment by Rob go to the list?  I didn't see it.>

I seem to have send it to have been replying to the list with the wrong
mail adres. Ill send my last two posts again :

On Tue, 12 Apr 2005, David Hopwood wrote:

> # A second type of role based systems does involve some state. In this
> # type of system a user can assume a role from its profile, only one role
> # at a time.
>
> In a capability system, when an object (= subject) makes a request, it
> must present all of the capabilities needed for that request. An object
> can, if its programmer wants, partition the capabilities it holds into
> sets that are equivalent to roles, thus simulating a role-based system.
> In fact this simulates a more expressive role-based system in which an
> object can assume more than one role for a given request.
>
> However, being required by the system design to partition capabilities
> into role-sets chosen in advance is quite limiting (unless the sets
> each contain a single capability and objects can assume more than one
> role-set; in that case it is not limiting, but is pointlessly complex).

The main goal of the system I am working on is creating an authorization
system with hooks for an incident response system. The incident response
system will to a great extend initiate role changes, for example changing
the role of a 'server', based on the fact that the server software is
determined to be either 'fully-patched', 'vulnerable', or 'compromized'.
Likewise a user or a file or any other type of stateful object, could
based on incidents be asigned an other role by the IDS.

If I understand correctly what you mean by limiting, I believe this
form of limiting might be the core requirement for being able to
create the required hooks for incident response. 'role' might not be the
right semantics, but I definetly need the capabilities to only be
usable within such constraints with respect to IDS issued state of the
objects. I hope this makes some sense.

> There is no evidence to suggest that it would help. To achieve POLA the
> programmer should just pass whatever individual capabilities are needed.
> So in a capability system it is entirely unnecessary to have roles as a
> base concept.

Given the importance of the IDS imposed state on objects, what
alternatives would there be to still implement the strict dependance on
these without resorting to roles?

T.I.A.

Rob

More information about the cap-talk mailing list