[cap-talk] A question on capabilities
rmeijer at xs4all.nl
Mon Jun 12 05:41:07 EDT 2006
> On 6/12/06, David Wagner <daw at cs.berkeley.edu> wrote:
>> I gave a talk at PLAS06 yesterday on object capabilities and
>> language-based capability systems. My slides, if anyone is interested,
>> are here:
>> I got one question afterwards that I didn't have a great answer to,
>> and I'm curious what others response might be. The question: Suppose
>> Alice has a powerful capability, and Alice and Bob have a communication
>> channel over which they can talk to each other. Ok, granted, we can't
>> prevent Alice from sharing her authority with Bob, if she really wants
>> to, since she can always proxy for Bob. But what about the risk of
>> unintentionally leaking her capability to Bob? Do capability systems
>> a good story about how to deal with that? (And yes, we recognize that
>> if Alice and Bob are completely isolated from each other, then that's
>> one case where capability systems have a good story, but that case is
>> too restrictive, and the questioner was really asking whether there are
>> any other cases where capability systems can help out with this risk).
> Isn't this exactly what e-speak was all about? In this case, the
> capability would be linked to Alice, so she'd have to prove ownership
> of her private key in order to exercise it. Of course, Alice could
> leak her private key, too, though that seems less likely since you
> never have to send it over the wire.
Would e-speak still allow Alice to 'explicitly' re-delegate the capability
to Bob? And if so could the chain of delegations be recorded within the
capability for auditing purposes?
As stated in my previous post on bound yurls a few days ago, I'm trying
to find out if work has been done on auditable delegation.
More information about the cap-talk