[cap-talk] - Karp - Capabilities - tracking responsibility (Was: Bellizzomi - Users in object/capability systems (was: MLS gone bad, Lampson))

[Ian G]

Valerio Bellizzomi wrote:
> On 29/11/2006, at 16.07, Karp, Alan H wrote:
> 
>> Valerio Bellizzomi wrote:
>>>> I am assuming that when Tyler uses the capability it is over a
>> channel
>>>> to Jed authenticated as Tyler.  Bob uses the capability over a
>> channel
>>>> authenticated as Bob.  Since Tyler can't set up a channel to Jed
>>>> pretending to be Bob, there is no way Tyler can blame Bob for Tyler's
>>>> actions.
>>> Are we talking about "non-repudiation" here ?
>>>
>> No, audit for assigning responsibility.  Non-repudiation assures Jed
>> that Bob cannot deny having taken an action that he actually took.
>> Audit for assigning responsibility assures Tyler that Jed won't blame
>> Tyler for actions taken by Bob, even if Bob uses a capability that Tyler
>> gave him.
> 
> I don't see where is the difference with non-repudiation, if Bob can't
> deny having taken an action that he actually took, how can Jed blame Tyler
> for an action taken by Bob?

Apologies in advance, just jumping in here to point out a 
potential reliance on a false assumption.

There is a big problem with non-repudiation that leads one 
into traps all too frequently.  Basically, it doesn't exist, 
it is a contradiction.

The issue is that there is a conflict in expectations 
between the technical capabilities and the human 
capabilities.  The technical domain can create a trail of 
records, perhaps better termed "evidence".  Digital 
signatures such as hashes or pk sigs are particularly 
interesting forms of evidence because of their strong 
properties, or more cynically, because of their exotic 
mathematics.

OTOH, we have people.  They do things differently, and they 
are actual agents & principles, in legal/governance terms 
**.  They act, and they state.  They deny and they claim. 
In effect, a human can always repudiate, they can always say 
they did not do something.

Non-repudiation does not exist as a property because it is 
impossible to stop a person repudiating;  such an action 
being the action of a human agent, not of code & bits.

In reality what happens is the technology provides a trail 
of evidence.  Audits can follow the trail and suggest 
hypotheses as to what happened.  When it comes to blame / 
responsibility, etc, that can only be decided by humans, 
based on the sum of evidence as found and recorded by the 
tech.  All of these steps are subject to error, enough so 
that blame is always a judgment, and never a certainty.


iang


PS: ** I use the term agent in the normal, non-security 
sense of people who are in contractual relationships, which 
is somewhat reversed from the particular security sense.