Capability development principles (was Re: [cap-talk] YURLs.
What is the model of development?)
smagi at naasking.homeip.net
Sat Nov 26 03:16:01 EST 2005
-----BEGIN PGP SIGNED MESSAGE-----
David Wagner wrote:
> David Chizmadia writes:
> The original poster asked about how to provide mutual authentication,
> but I suspect the real question here is how to deal with the risk of
> YURLs being leaked to others.
Yes, that would be a better description of the problem I posed, although
I'd amend "leaked" to "unintentionally leaked". Authentication is simply
a means to achieving that end.
I have no problem with users intentionally passing capabilities since
they can be made accountable for any abuses. I'd simply like to ensure
that a user *knows* when he is passing a capability. If a user is
utilizing a third-party computer (internet cafe?), browser history makes
capability-based web applications useless because it would leak all of
his authority *unintentionally*.
> That question makes me worry that the
> model of YURLs is at odds with the mental model that users have, and
> wonder whether capabilities are really the right solution for human
I think there are only a few corner cases that would surprise users
(like the one I proposed).
> It feels like tacking mutual authentication onto YURLs
> can't be the right solution (as I think you were suggesting), because
> it seems to defeat the whole point of capabilities (why bother with a
> capability model in the first place if you're going to add mutual
> authentication anyway?).
Capability designs have other advantages which make them attractive.
Was I premature in concluding that dynamically constructed,
session-limited facades will adequately solve the problem? I'm certainly
open to other possibilities; session-limited authority is a fairly
common pattern in web applications though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the cap-talk