[cap-talk] Cap vs. cap + password - recap, Internet cafe

Jed at Webstart donnelley1 at webstart.com
Fri Dec 2 22:42:33 EST 2005 

At 07:22 PM 12/2/2005, Sandro Magi wrote:
>Jed at Webstart wrote:
>>At 05:43 PM 11/30/2005, Sandro Magi wrote:
>>
>>>I'm referring to one of my first suggested solutions: placing Portable
>>>Firefox on a USB key and simply using that browser on the third-party
>>>computer.
>>>
>>>http://johnhaller.com/jh/mozilla/portable_firefox/
>>>
>>>If you can use key storage, then this seems attractive to carry your
>>>YURLs and access them.
>>
>>Perhaps, but of course there is no real additional security there.
>>When the browser runs it has access to all the data, capabilities,
>>whatever.  To get even POLA protection when running on a third-party
>>computer you need to insure that no software running in the computer
>>system ever gets access to any capabilities beyond those which
>>you explicitly share with it - e.g. as I suggested earlier by individually
>>granting full and proxied (destroyed after the session) capabilities near
>>the end of:
>>http://eros.cs.jhu.edu/pipermail/cap-talk/2005-November/004362.html
>
>
>Oh yes, your scheme is certainly far more secure. In my original 
>proposal I even acknowledged that the solution was only good enough 
>to the extent that the 3rd party computer was not malicious, which 
>is all I was trying to achieve. I was merely proposing something 
>that I could see implemented immediately with effectively no effort, 
>and which would simply prevent accidental disclosure as in my 
>original scenario.
>
>Without trusted hardware with a trusted interface, it's not possible 
>to protect oneself against the computer's owner. Was there some 
>display on the USB device for the "challenge" in your idea?

Yes.

>I wasn't clear on that part. I think that's the only way to make it 
>truly safe.

Even then I think there are substantial technical challenges.  I 
think what you essentially have to do is to treat your hardware token 
like your actual computer and use it to grant just needed 
capabilities to the untrusted third party computer.  Those 
capabilities can either be

1.  Available on the hardware "token" - in which case you can just 
ask it to grant permanent or revokable access to them to the 
untrusted computer.

or

2.  Only available elsewhere, in which case you have to set up a 
secure channel through the untrusted computer (just use it like an 
untrusted network) to some system where you can pull down additional 
capabilities to your hardware token.

In any case I believe you have to explicitly identify any capability 
that you want to grant to the untrusted system.

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list