[cap-talk] - Karp - Capabilities - tracking responsibility (Was: Bellizzomi - Users in object/capability systems (was: MLS gone bad, Lampson))

[Rob J Meijer]

> When Alice is delegating to Bob and choosing
> to delegate a revocable capability, she could
> at the same time add to that revocable capability
> what is essentially a label, e.g. "delegated to Bob".
> She could then send that revocable and labeled
> capability to Bob.
>
> Unfortunately, the above simple approach doesn't
> work out too well for Bob.  If Alice carries out the
> above procedure, at the end of it Bob has a labeled
> capability that Alice can revoke, but Alice also
> has that capability.  How can the auditors know
> that any requests on that capability are the responsibility
> of Bob and not of Alice.  They can't.

Would it not be viable to try and create a synergy pattern where
invocation or re-delegation of the labeled revocable capability
requires a second 'identity bound' capability?

>
> Identity based access control systems (IBACs) give the impression
> that they can always report who did what when.  They claim
> to be able to do so because every subject in the system
> has an identity (e.g. a user identifier) and access is controlled
> and could be reported on the basis of who did what when.
> We know that this impression is often an illusion, since
> IBACs make it so difficult enough to do delegation that more
> often than not some sort of proxying is done in it's place
> (e.g. access like that through Web and other servers that
> cause so many security problems on networks).

Unfortunately without reliable undeniable recordings of delegation chains,
proxying has the advantage over delegation that accountability is clear.
There is no real distinction possible between delegations that do and
delegations that don't cross realms of identity and/or trust, thus any
policy would clearly point to the proxying entity as accountable and
incident response can thus effectively focus on that entity.

I feel that only if caps can solve the problem of accountability and
incident response, that we can expect the IBAC crowd to start trusting
that delegation is a viable alternative.


> Still, I've never seen any means for tracking access based
> on identity in capability systems.  One could argue (as the
> above TCSEC group report did) that object/capability systems
> are inadequate in that regard.  Now that we can demonstrate
> an object/capability mechanism for tracking responsibility
> through delegation, one that clarifies just what can really
> be achieved through such means, it seems that we can
> argue that object/capability systems are at least as strong
> as IBAC systems in this regard as well.

Agreed, I feel however that the synergy aspect of this seems like
a big challange we would need to tackle here.

Rob