[cap-talk] - Karp - Capabilities - tracking responsibility (Was: Bellizzomi - Users in object/capability systems (was: MLS gone bad, Lampson))

Valerio Bellizzomi devbox at selnet.org
Fri Dec 1 14:59:46 CST 2006 

On 01/12/2006, at 13.37, Ian G wrote:

>Valerio Bellizzomi wrote:
>> On 29/11/2006, at 16.07, Karp, Alan H wrote:
>> 
>>> Valerio Bellizzomi wrote:
>>>>> I am assuming that when Tyler uses the capability it is over a
>>> channel
>>>>> to Jed authenticated as Tyler.  Bob uses the capability over a
>>> channel
>>>>> authenticated as Bob.  Since Tyler can't set up a channel to Jed
>>>>> pretending to be Bob, there is no way Tyler can blame Bob for
Tyler's
>>>>> actions.
>>>> Are we talking about "non-repudiation" here ?
>>>>
>>> No, audit for assigning responsibility.  Non-repudiation assures Jed
>>> that Bob cannot deny having taken an action that he actually took.
>>> Audit for assigning responsibility assures Tyler that Jed won't blame
>>> Tyler for actions taken by Bob, even if Bob uses a capability that
Tyler
>>> gave him.
>> 
>> I don't see where is the difference with non-repudiation, if Bob can't
>> deny having taken an action that he actually took, how can Jed blame
>Tyler
>> for an action taken by Bob?
>
>Apologies in advance, just jumping in here to point out a 
>potential reliance on a false assumption.
>
>There is a big problem with non-repudiation that leads one 
>into traps all too frequently.  Basically, it doesn't exist, 
>it is a contradiction.
>
>The issue is that there is a conflict in expectations 
>between the technical capabilities and the human 
>capabilities.  The technical domain can create a trail of 
>records, perhaps better termed "evidence".  Digital 
>signatures such as hashes or pk sigs are particularly 
>interesting forms of evidence because of their strong 
>properties, or more cynically, because of their exotic 
>mathematics.
>
>OTOH, we have people.  They do things differently, and they 
>are actual agents & principles, in legal/governance terms 
>**.  They act, and they state.  They deny and they claim. 
>In effect, a human can always repudiate, they can always say 
>they did not do something.
>
>Non-repudiation does not exist as a property because it is 
>impossible to stop a person repudiating;  such an action 
>being the action of a human agent, not of code & bits.
>
>In reality what happens is the technology provides a trail 
>of evidence.  Audits can follow the trail and suggest 
>hypotheses as to what happened.  When it comes to blame / 
>responsibility, etc, that can only be decided by humans, 
>based on the sum of evidence as found and recorded by the 
>tech.  All of these steps are subject to error, enough so 
>that blame is always a judgment, and never a certainty.

This is true, but I think that we talk only about the technical issue of
evidence.

>
>
>iang
>
>
>PS: ** I use the term agent in the normal, non-security 
>sense of people who are in contractual relationships, which 
>is somewhat reversed from the particular security sense.
>
>_______________________________________________
>cap-talk mailing list
>cap-talk at mail.eros-os.org
>http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list