[cap-talk] - Karp - Capabilities - tracking responsibility (Was: Bellizzomi - Users in object/capability systems (was: MLS gone bad, Lampson))

[Valerio Bellizzomi]

On 04/12/2006, at 17.03, Karp, Alan H wrote:

>Valerio Bellizzomi wrote:
>
>> >Not if Bob is an identity of Tyler's creation.
>> 
>> Do you mean that Bob's identity is created by Tyler?
>> I started thinking that Bob is a figment of Tyler's imagination.
>> Can you expand on this ?
>> 
>Tyler wants to escape liability for something he is about to do.  Tyler
>creates a new identity (a figment of his imagination) and introduces it
>to Jed as Bob.  Tyler now uses the Bob identity to do something bad.
>Holding Bob accountable will do Jed no good.  Hence, Jed will have to
>hold Tyler accountable for the actions taken with the Bob identity.  The
>point is that identities have no meaning outside the trust relationships
>used to establish them.

Ok, let me see if I understand correctly.
Jed cannot trust Tyler when Tyler introduces a new identity to Jed. Hence
Jed should ignore any new identity introduced by Tyler.
So, identities that Jed has to trust (for work or whatever) must be known
a priori, or introduced by some mechanism that is inherently trusted by
Jed.

But, what if Tyler is the system administrator of Jed's system, since
Tyler should be trusted for maintenance/management of Jed's identity?
Is a system administrator trusted or not?  Apparently he should be trusted
by all users, but the ASPOS/PP assumes that the administrator will make
mistakes...
(of course he could also become malicious at some point, people is
people).

I get the feeling that we are going into a can of worms.
Question: why do we care so much about identities?

>
>_________________________
>Alan Karp
>Principal Scientist
>Virus Safe Computing Initiative
>Hewlett-Packard Laboratories 
>1501 Page Mill Road
>Palo Alto, CA 94304
>(650) 857-3967, fax (650) 857-7029
>https://ecardfile.com/id/Alan_Karp
>http://www.hpl.hp.com/personal/Alan_Karp/