[cap-talk] Communicating conspirators
Mark S. Miller
markm at cs.jhu.edu
Sun Jul 16 23:50:55 EDT 2006
David Hopwood wrote:
> Some capability systems have included such a mechanism, for example
> the ENVRTS bit in Hydra [*].
> I think that this kind of "do not delegate" mechanism is now generally
> understood to be a mistake -- it complicates the system, impedes
> legitimate use of delegation, and does not improve security. I hope
> that any pressure to include such a thing in new cap system designs
> can be resisted.
"Enforcing Confinement in Distributed Storage and a Cryptographic
Model for Access Control"
by Shai Halevi, Paul A. Karger, Dalit Naor
Paul Karger is a famous security and capabilities guy who knows about EROS. I
was surprised to see this.
> I don't think the argument was that people don't want this ability.
> The argument was that neither we nor anyone else know how to give it
> to them.
> Existing access control approaches clearly don't solve CC. The difficulty
> that the cap security community seems to have is that describing capabilities
> to people tends to make this problem more obvious to them, which may then
> associate the problem in their minds with capabilities. I don't know
> how to fix that, but it's not a technical problem with capability systems.
Only when people understand that it's impossible by any means will they stop
reacting badly when they notice that it's obviously impossible in objcap
systems. That's why I spent time trying to explain this in my talk.
Text by me above is hereby placed in the public domain
More information about the cap-talk