[cap-talk] SPAM-LOW: Re: In Defense of Identities - really not

[Jed at Webstart]

At 02:48 PM 12/6/2006, Jonathan S. Shapiro wrote:
>On Wed, 2006-12-06 at 17:04 -0500, Sandro Magi wrote:
>
> > Combined with local naming (ie. you can only add to an ACL you hold, a
> > subject to which you also hold an unforgeable identifier), Jed's idea is
> > essentially capability semantics. Your suggestion seems to boil down to
> > capabilities with a do-not-delegate flag by default. Are you arguing
> > against capabilities in the context of OpenCM, or making a more general
> > statement?
>
>Capabilities were not an adequate solution for OpenCM.

I assume you mean that object-capability semantics are not an adequate means
for access control for OpenCM?  Refining my words a bit I guess that means
that the object-capability semantics for delegation don't meet the
requirements for OpenCM.

Can you tell us what requirement it is in OpenCM that object-capability
semantics fail to meet?

Ah:

>At 02:08 PM 12/6/2006, Mark Miller wrote:
>The basis for this reluctant conclusion was a stated need to meet
>bureaucratically mandated auditing requirements that, as far as I
>could tell, were not technically coherent. In the end, I failed to
>understand the requirements, and so had no basis for objection, and
>reluctantly gave up.
>
>In any case, once I post the proof-of-concept responsibility-tracking
>protocol, I would like to revisit that discussion.

I'll be interested to follow how that discussion goes also.

I'm not really sure how well I've conveyed or "sold" the notion that
object-capability semantics are really just a dynamic means for
delegating a permission (permission to access an 'object') from
one subject to another.  I assume there is some means for doing
delegation in OpenCM.  What is it about that means that doesn't
fit the object-capability paradigm?

I think it was something along the lines of "bureaucratically mandated
auditing requirements" that lead the TCSEC folks to conclude that
the capability paradigm couldn't be used to meet the Trusted Computer
System Evaluation Criteria.  In particular it was their concern about
what they regarded as the laissez faire (my words not theirs, you have
to read a bit between the lines to get their gist) nature of object-capability
permission communication (if I have a permission and I can communicate
with you, then I can delegate it to you).  Despite their general discomfort
with the object-capability approach, however, when it came time to discuss
requirements not met, one of them that they pointed to was auditing.
Namely, who did what when?  That why it's this topic that we've been
working through with the responsibility tracking thread (under whatever
subject cover).

--Jed http://www.webstart.com/jed/