[cap-talk] cap-share - membranes - optional/mandatory, unwrapping? (was: Blue sky)

Valerio Bellizzomi devbox at selnet.org
Sun Dec 17 11:02:29 CST 2006 

On 16/12/2006, at 22.21, Jed Donnelley wrote:

>At 10:02 PM 12/16/2006, Jonathan S. Shapiro wrote:
>>On Sat, 2006-12-16 at 23:30 -0600, Karp, Alan H wrote:
>> > Jonathan S. Shapiro wrote:
>> > >
>> > >   2. The audit tool requires a "God's eye" view. It requires the
>> > >      authority to walk every object in the system and implement the
>> > >      exchange protocol. The minute we introduce such a walker, we
>> > >      have re-introduced something very close to universal (root)
>> > >      authority, and that ought to make us very skeptical about the
>> > >      design under discussion.
>> > >
>> > The problem is that there are three trust relationships, Carol-Bob,
>> > Bob-Alice, Carol-Alice.  Jonathan has jumbled those together.
>> >
>> > Carol has given some rights to Bob.  Bob has transfered some of those
>to
>> > Alice.  At this point, Carol has no explicit relationship with Alice.
>> > If some of the rights Bob has given to Alice need to survive the
>> > revocation of Bob's rights, then Bob needs to ask Carol to give those
>> > rights directly to Alice.  Carol knows which of the rights Bob wants
>> > Alice to have should survive their revocation from Bob and which ones
>> > should not.  If Bob doesn't know, he can always ask Carol and let her
>> > decide.  Putting the policy decision at the point of transfer instead
>of
>> > at the point of revocation avoids the "God's eye" view problem.
>>
>>You misunderstood me completely. :-)
>>
>>The necessary God's eye view is the view of the *tool* that knows how to
>>walk objects in the system to swap the capabilities. This tool requires
>>the ability to traverse objects that none of {Carol, Alice, Bob} can
>>access.
>
>I think Jonathan and I agree on that one.  I don't see that as
necessarily
>a "God's Eye" being needed, but I see it as very and perhaps impossibly

I think Jonathan refers to the fact that the tool must traverse the
capabilities space in the machine, and that the ability to see all
capabilities gives to it "root" powers.
In this view, the tool's "God's Eye" is the "Root's Eye", since it has the
power to see all capabilities.

>complicated.  Just the case of permissions that have been further
>delegated by Carol I don't see how to solve (without making it an
>"inside" bookkeeping job as I've suggested and as I believe MarkM's
>puppet approach suggests).
>
>--Jed http://www.webstart.com/jed/ 
>
>
>_______________________________________________
>cap-talk mailing list
>cap-talk at mail.eros-os.org
>http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list