[cap-talk] - Karp - Capabilities - tracking responsibility (Was: Bellizzomi - Users in object/capability systems (was: MLS gone bad, Lampson))

Valerio Bellizzomi devbox at selnet.org
Tue Dec 5 17:12:05 CST 2006 

On 04/12/2006, at 19.14, Karp, Alan H wrote:

>Valerio Bellizzomi wrote:
>> 
>> Ok, let me see if I understand correctly.
>> Jed cannot trust Tyler when Tyler introduces a new identity 
>> to Jed. Hence
>> Jed should ignore any new identity introduced by Tyler.
>
>Jed need not ignore the new identity.  He just needs to hold the
>introducer accountable for actions taken by that identity.  By reporting
>to Tyler that Bob did something wrong, Jed is giving Tyler the
>opportunity to collect from Bob, should Bob be a real person.

>From the standpoint of accountability Jed has to ignore the new identity,
thus still holding Tyler accountable.

>
>> So, identities that Jed has to trust (for work or whatever) 
>> must be known
>> a priori, or introduced by some mechanism that is inherently 
>> trusted by
>> Jed.
>
>Exactly.  Jed can only trust an identity that is introduced to him to
>the extent that he trusts the introducers.  I often get phone calls from
>people claiming to be HP employees asking for proprietary information.
>Before providing it, I will look them up in the Corporate Directory and
>use the contact information I find there.  I consider the telephone to
>be an untrusted introducer, but I do trust the Corporate Directory for
>HP employees.
>
>Even if Bob is introduced to Jed by both Tyler and Alan, Jed needs to be
>cautious.  Tyler and Alan may be collaborating to trick Jed.
>Ultimately, Jed's trust in Bob will depend on the aggregate knowledge
>gained from the introductions and Jed's experiences in dealing with Bob.
>> 
>> But, what if Tyler is the system administrator of Jed's system, since
>> Tyler should be trusted for maintenance/management of Jed's identity?
>> Is a system administrator trusted or not?  Apparently he 
>> should be trusted
>> by all users, but the ASPOS/PP assumes that the administrator 
>> will make
>> mistakes...
>> (of course he could also become malicious at some point, people is
>> people).
>
>In this case Jed will trust identities provided to him by Tyler because
>Jed has little choice.  Note, though, that Jed may still need to have
>Tyler collect any penalty for Bob's actions even in this case.  For
>example, Bob may be a contractor working for a company Jed never heard
>of.  The bottom line is that it's very hard to avoid following the trust
>relations.  
>
>If the sysadmin is malicious, Jed is lost.  If the sysadmin is mistaken,
>as Verisign was when it incorrectly issued a couple of Microsoft
>certificates to a scammer, Jed is lost.  There is risk in trusting that
>must be balanced against the potential benefits.

Agreed.

>> 
>> I get the feeling that we are going into a can of worms.
>> Question: why do we care so much about identities?
>> 
>We are opening a can of worms, but it is a very important can of worms.
>People assume that identity has a meaning external to the system it is
>being used in.  That leads to lots of mistakes, mistakes that I say are
>due to the fallacy of identity.  
>
>How do you know me?  Might Alan Karp be a pseudonym MarkM uses to make
>points that he doesn't feel comfortable making himself?  Might Alan Karp
>be a pseudonym used by all HP employees when writing to security mailing
>lists?  In truth, the identity you attach to Alan Karp has very little
>value to you outside of what is on this list.

At a first glance, if I didn't trust your identity I would contact HP and
ask to speak with you.

>
>Let's say you know me.  You have my drivers license number.  You have my
>thumbprint.  You have my DNA sample.  Would you trust me with your
>money?  Your children?  Your wife?  The answers depend on how you've
>come to know me (introduced to you by your banker) and your experience
>in dealing with me (we've been close friends for many years).  
>
>Identity tells us little about whether or not we should honor a specific
>request.  It is only as good as the relationships connected to it.

Since we are members of the capability community, I am led to trust your
identity.
Ok, but I know that you are famous for your work in parallel computing (if
I remember correctly you offered money for a parallel computing contest).
It is instructive to talk with you, so my experience in dealing with you
is positive even we haven't been friends, this leads me to trust your
identity.

>
>_________________________
>Alan Karp
>Principal Scientist
>Virus Safe Computing Initiative
>Hewlett-Packard Laboratories 
>1501 Page Mill Road
>Palo Alto, CA 94304
>(650) 857-3967, fax (650) 857-7029
>https://ecardfile.com/id/Alan_Karp
>http://www.hpl.hp.com/personal/Alan_Karp/
>  
>
>_______________________________________________
>cap-talk mailing list
>cap-talk at mail.eros-os.org
>http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list