[cap-talk] On capabilities not being secure
Ian G
iang at systemics.com
Sun Nov 27 10:02:09 EST 2005
Ian G wrote:
> Steve Witham wrote:
>
>> So, when is a capability that requires a password
>> more secure than a plain capability? If the user could give
>> away the YURL string, why couldn't he give away both the YURL
>> and the password? He could, of course.
>
>
>
> A capability is a tool that can be put into
> a system to help it be more secure than the
> alternate. A capability isn't secure per se
> - that makes no sense in definitional terms.
I am reminded to define my own terms :) The
easiest way is to read this paper, or at least
the first few sections. It's not heavy.
http://iang.org/papers/pareto-secure.html
In short - there is no such thing as absolute
security, and thus no thing "is secure" without
some sort of context - relative security within
a system is the best we can hope for.
Notwithstanding that, we can make some judgements
about components that are secure to a certain
degree that is useful for assumptions: I call
this Pareto-secure for a localised sense, and
Pareto-complete if we can happily globalise the
security.
Perhaps the big message is that so few of the
components we deal with are amenable to such
language and claims, but they are widely abused
in the wider press and sales process.
iang
More information about the cap-talk
mailing list