[cap-talk] Cap vs. cap + password

Stiegler, Marc D marc.d.stiegler at hp.com
Mon Nov 28 19:35:04 EST 2005 

> A specific weakness of a capability is that
> it depends on not being leaked to some other
> entity that has access to the system.  You
> can defend against that by either not leaking
> or not letting the leakee access the system.
> 
> Addressing using either path seems likely to
> be a good idea, and adding passwords or similar
> around the entire system is likely to be necessary
> if there is a large danger of leakage.  I gather
> (from very fast skimmings) that the YURL waterken
> system of Tyler envisages access to the caps to
> be at the client level, over the net. So we can
> conclude two thing:  leakage is quite likely via
> the browser/malware and by user-forwarding; and
> secondly that access is available to all.
> 
> So a password mechanism over the top sounds like
> a good option to consider if we intend to put
> things of great value and attractiveness there.
> However at this point we've probably run out of
> facts and foundation;  the details of how to
> protect the system from leakage would depend
> dramatically on what the application was meant
> to be used for.

Browser malware is as capable of stealing passwords as it is of stealing
bookmarks. User forwarding is less likely than the folks here are
assuming, given ten words of explanation for the user (really, try it
out on some people, see if the passage, "here is a secure bookmark,
don't give it to others" doesn't immediately convey the idea. Anyone who
thinks for a moment that human beings can be taught to distinguish
high-quality certificate authority certificates from low quality
certificate authority certificates just has to find the idea of a
successful ten word explanation attractive). Phishing against a secure
bookmark is quite unlikely, while it is quite successful against
passwords. Secure bookmarks are never duplicated across multiple sites,
the way people often duplicate passwords, thus ensuring the bookmarks
are fine grain rather than coarse grain. Secure bookmarks are
invulnerable to dictionary attacks. Having both a secure bookmark and a
password is more likely to confuse the user, and certainly takes more
than ten words to explain (since the ten words are required as the first
part of the overall explanation).

If your purpose is to maximize user confusion, with all the
opportunities for attack that such confusion represents, I think a
combined approach is definitely the right strategy. Plus, it gives you
back all the cool unusability benefits that real users appreciate so
much -- so many passwords to forget, so little time!


--marcs

More information about the cap-talk mailing list