[cap-talk] Cap vs. cap + password

David Wagner daw at cs.berkeley.edu
Sat Nov 26 18:59:22 EST 2005


Steve Witham <sw at tiac.net> writes:
>So, when is a capability that requires a password
>more secure than a plain capability?  If the user could give
>away the YURL string, why couldn't he give away both the YURL
>and the password?  He could, of course.

A capability that requires a password isn't really a capability any more.

A malicious user could give away their password, but a well-intentioned
user is less likely to give away their password because they generally
have been taught and understand that passwords are to be kept secret.
However, users aren't taught to keep URLs secret.  (Even if we tried
to tell users to keep URLs secret, they'd laugh at us behind our backs
and ignore us, because that would prevent them from getting useful work
done.)

>How do I know that this document
>signed with your public key was signed by you?

Exactly right.  You don't.  The signature implies endorsement by whoever
has possession of the corresponding private key, but not much more.
If the original holder of the private key signs an agreement to be bound
by all contracts signed under that private key, then that person will
have an incentive not to give away their private key to people they don't
trust.  But as you say there are a number of serious difficulties here
if you don't use public keys right, and it's not as easy as just saying
that this is signed by Alice's key, therefore Alice must have approved it.

>I'm not such a convert that I see how capability security gives
>the right answer here.

I too am having trouble convincing myself that capabilities are the
right answer for the user-visible part of the problem.

>On the other hand, if humans swapping
>YURLs are a problem, I don't see why they can't be kept hidden
>from the humans.

I agree that this would help with the security problem, but it seems like
it would harm usability and interoperability among applications.  How do
users share a URL with a friend?  How do they copy-and-paste it into
an email?  How do they link to it in their own web pages, their blogs,
their communications with others?  And, most importantly, how can we make
these steps as convenient and intuitive for YURLs as for today's URLs?


More information about the cap-talk mailing list