[cap-talk] network level designation and authorization

[Stiegler, Marc D]

> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org 
> [mailto:cap-talk-bounces at mail.eros-os.org] On Behalf Of Sandro Magi
> Sent: Thursday, June 08, 2006 11:37 AM
> To: General discussions concerning capability systems.
> Subject: Re: [cap-talk] network level designation and authorization
> 
> Stiegler, Marc D wrote:
> > Another point about a YURL that is worth noting. Suppose 
> one breaks or 
> > steals a YURL. The typical YURL carries only a little 
> authority (like 
> > the authority to edit a single web page). Such a break is a 
> tiny thing 
> > compared to the penetration of a VPN connection. A 
> YURL-based network 
> > of connections has a larger number of weaker authorizations.
> 
> Subject to the application/service design. If the application 
> is designed such that the transitive closure of all links 
> reachable from that one leaked link is the set of all links 
> in the application/service (at least for the "user" who 
> "owned" that link), then that's just as disastrous as giving 
> away the username+password in a traditional app.
> 
> So YURLs gain you no security advantage in this case, except 
> that it's more effort to design such a "wide-open" 
> application in the web-calculus than it currently is with 
> standard-issue web frameworks.

Yes, you can build systems with "global" authorities even using YURLs.
Just as you can write insecure FORTRAN even in E (for which there is an
example in Walnut, when doing the security review of Echat :-)

YURLs make it possible to do better. YURLs even make it easy to do
better. VPNs, on the other hand, make it impossible to do better, much
less easy.

--marcs