[cap-talk] On revocation and the use of wrappers and In Defense of Identities
Jed Donnelley
jed at nersc.gov
Thu Dec 7 11:33:19 CST 2006
At 02:03 AM 12/7/2006, Neal H. Walfield wrote:
>At Wed, 6 Dec 2006 23:17:12 -0600,
>Karp, Alan H wrote:
> >
> > Marcus Brinkmann wrote:
> > > The problem is that it is easily exploitable, because the amount of
> > > memory used to store the bookkeeping data is not bound by the number
> > > of objects, but by the number of delegations that take place.
> > > Depending on the design, either a user alone or at least two
> > > conspiring users can probably exhaust these resources by delegating
> > > the same object many times.
> > >
> > The server can always refuse if a given capability has been delegated
> > too many times.
>
>Sure. But how can it do this without potentially denying legitimate
>service? I think that any limit will be arbitrary and will fail to
>stop illegitimate use but block some legitimate uses.
This sort of thing happens all the time in today's systems and it
is very far from being considered among the most important problems
with such systems. There are limits like the number of processes,
number of inodes, not to mention of course more "legitimate"
resource limitations like memory and disk space. Any exhaustion
of such resources result in denying legitimate service.
How would an exhaustion of table space for delegations differ
from such situations?
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list