[cap-talk] Capability levels - transparent network extension, no encryption

Mark S. Miller markm at cs.jhu.edu
Thu Aug 17 20:46:54 EDT 2006 

Jed at Webstart wrote:
>> Yes, if Alice, Bob, and Carol are mutually non-reliant machines 
>> plugged in to the Internet, Alice cannot safely make assumptions 
>> about who Bob cannot talk to. OTOH, within an object-capability 
>> system, if Bob is an object instantiated by Alice, Alice can know 
>> that Bob can talk to only those that Alice has enabled him to talk 
>> to. This is the difference.
> 
> I understand.  Now consider a situation where Bob is a process on
> a separate CCS on the other side of an "open" network, but where
> the two CCS systems communicate over an encrypted link (e.g. latest
> KGx) and then use something like the DCCS mechanism to distribute
> capabilities between the systems.  Under this scenario Alice creates a
> remote "Bob" and initializes it with the limited capabilities that Bob
> should have.  I.e. Bob is confined by the remote CCS system much
> like Bob could be confined locally.  In that case can one trust the
> confinement across the 'open' network?

Can who trust...? I care about - can Alice trust...? Since, by assumption 
(mutually non reliant machines), Alice does not trust the machine Bob is 
running on, the answer is no. Alice cannot trust that Bob's platform (machine, 
TCB, whatever) is playing by the rules. Therefore, she can't trust that Bob 
doesn't have other access.


> I suggest the answer is yes.
> Perhaps we agree on the extent of that "yes".  I think this gets back
> to what we mean by "open" regarding networks.

Actually, even for your sense of "open networks" the answer is still no.

The closest approximations of a yes answer I have been able to imagine are 
described in section 11.5.1 and in 
http://www.erights.org/elib/capability/dist-confine.html
But the differences between these vs confinement with object-caps is not 
transparent.


>> If Alice, Bob, and Carol are CCS processes running on non mutually 
>> reliant hardware and speaking over DCCS, how can Alice have any 
>> confidence about who Bob cannot talk to?
> 
> I was thinking about the situation I described above.  Do we agree?

No. I said "non mutually reliant". Alice can't know that Bob doesn't have 
access to Carol. Even in a fully connected network where network addresses are 
trustworthy, so long as the Alice doesn't trust Bob's machine, the answer is 
still no.

-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the cap-talk mailing list