[cap-talk] Communicating conspirators (Re: Second ABAC Google talk is now up)

[Eric Jacobs]

This was the only part of the presentation that I felt pretty
dissatisfied with, and perhaps it has more to do with the treatment of
the topic in the capability community in general than anything else, but
I feel the arguments that were given were not convincing and did not
resolve the question that was originally asked.

The original comment at 29:15 - (something like this, the audio is
fuzzy)

"So, I just want to say here as well: I don't want Bob to have a
reference to Carol except in the scope of the Foo operation. I
don't want Bob to be able to save that (access?)..."

We are told that this is an example of Communicating Conspirators
and that will be addressed later in the presentation. This main
points made are:

   - that CC cannot be solved with permissions;
   - that CC cannot be solved with capabilities;
   - that the capability security model cannot solve CC because
     in its formal system, CC is not distinguishable from other
     situations that are not security problems
   - and therefore, CC is an impossible problem to solve (!)

I am not fond of the idea that because (1) we do not know how to
abstract something, or (2) we do not currently have the technology to
implement those abstractions, that it is not possible that someone
really wants it. In this case I believe both of those conditions are
true.

In fact, I regard the original question as a very legitimate request,
and something that is going to become more important as our computing
systems become more interconnected and the simple answer of "cutting 
Mallet's line" becomes less of an option. Disconnnecting a process
from the internet will soon become a sacrifice of usability for
security, if it is not already.

Overall though -- I have really enjoyed the presentations so far.
Thanks!

-Eric