[cap-talk] Re: Capability development principles - "no copy"
seen as wrong
smagi at naasking.homeip.net
Fri Dec 2 22:43:29 EST 2005
Jed at Webstart wrote:
> At 05:17 AM 11/30/2005, Sandro Magi wrote:
> If, after it has completed your request, you would like to keep it from
> being able
> to use that capability in the future, you should only give it a
> revokable copy of
> the capability and revoke it after your request is complete. That will
> mean that
> it can't mediate any permanent sharing via that capability, but in this
> case it
> seems that's what you want.
> There just isn't any more protection you can get, so why struggle?
I agree with this 100% as it applies to software agents. Capability
patterns are absolutely on the money here, so you're preaching to the
However, I'm stil convinced that end users will not want to go through
some of the burdens of properly managing their security *in some cases*.
Now I know, as MarcS said, you can always invent a "dumber user", but
there is something fundamentally wrong when the burden placed on the
user is rather high; the incentives for them to do the right thing just
aren't there. Then who will they complain to when something bad happens?
Their friendly neighbourhood application developer: me. :-)
For instance, in the scenario I laid out with the sales rep using a
customer's computer: the rep can absolutely go into every customer's
browser settings and tweak the privacy settings so his bookmarks and the
cache during his session are invalidated when he closes the browser. How
is this any less of a burden than remembering a password though? It's
arguably more of a burden for an application he uses every day.
So I was looking for a design which could keep the web-calculus intact
for all those other things it's great at, but handle this one scenario
where the burden seems a little cumbersome for some people.
When/if the browsers improve the way they handle "secure bookmarks" and
"secure urls", then this requirement will probably go away. It's just
there for backwards compatibility with the "one true way". :-)
More information about the cap-talk