Capability development principles (was Re: [cap-talk] YURLs. What is the model of development?)

David Wagner daw at cs.berkeley.edu
Sat Nov 26 04:50:38 EST 2005


David Chizmadia writes:
>my understanding of those principles is as follows:
>
>  * An object capability contains both the designation (name) of
>    a resource and the authority required to access that resource;
>
>  * Possessing the capability, such that it can be presented to the
>    resource server, is the only necessary and sufficient condition 
>    for actually getting access to the resource;
>
>  * Revocation and additional accountability are accomplished through 
>    the careful use of facades (membranes?);

Those are good principles when we're talking about the design of
software.  But everything is different when the client is actually
a human.  If YURLs are visible to the user, then I'd be concerned
that users might forward those YURLs to others without realizing the
security implications of doing so.  That sounds unfortunate from a
human factors point of view.

The original poster asked about how to provide mutual authentication,
but I suspect the real question here is how to deal with the risk of
YURLs being leaked to others.  That question makes me worry that the
model of YURLs is at odds with the mental model that users have, and
wonder whether capabilities are really the right solution for human
consumption.  It feels like tacking mutual authentication onto YURLs
can't be the right solution (as I think you were suggesting), because
it seems to defeat the whole point of capabilities (why bother with a
capability model in the first place if you're going to add mutual
authentication anyway?).


More information about the cap-talk mailing list