[cap-talk] Capabilities - the rub, an account

Jed Donnelley capability at webstart.com
Sat Dec 9 03:26:01 CST 2006 

At 05:29 PM 12/8/2006, David Hopwood wrote:
>John McCabe-Dansted wrote:
> > Further, when promoting caps we should make it clear that we intend
> > for the system to ensure that transfers of caps between high-level
> > entities such as users are always logged and revocable.
>
>I don't agree with that, because:
>
>  - I don't want to make assumptions about what the designers of all
>    capability systems will support (clearly logging and revocation are
>    not necessary for a system to be considered a capability system).
>
>  - I think that cap systems would be a significant improvement in most
>    respects over identity-based access control systems, even if they had
>    *no* support for either auditing or revocation.

I think the above positions are reconcilable.  I agree with John McCabe-Dansted
that it seems a good suggested policy to delegate permissions (capabilities)
between people with responsibility tracking and possible revocation.
This is the sort of auditing and management facility that the TCSEC
people and I expect others want.  As long as the performance is
reasonable, it doesn't hurt, so it seems like good policy to me.

On the other hand David Hopwood's point is certainly true.  You
don't need to provide responsibility tracking (logging) and
revocation to be considered a capability system.  There have
been such capability systems for many, many years.  To be
an object/capability system it's only required that all
permissions are enabled through communicable tokens.

I also agree that capability communication system are a significant
improvement over identity-based access control systems, even if
they don't have support for responsibility tracking (logging)
or revocation.  Many capability systems from years past make
that point.

However, I believe that tracking delegation of responsibility
and managed revocation for some (most?) fairly high level
delegations (e.g. people to people, program start) seems to
me generally good policy and likely to provide considerable
comfort for people with the TCSEC sorts of concerns.  I believe
we should aggressively market these sorts of facilities in
object-capability systems to sell them, increase their market
share (from nothing to something - I argue at the network
level first, but we will see) and start providing the value
that they supply to society.

More information about the cap-talk mailing list