[cap-talk] Capabilities - the rub (was: NCSC TCSEC)
John Carlson
john.carlson3 at sbcglobal.net
Thu Nov 9 22:51:09 CST 2006
On Nov 9, 2006, at 7:31 PM, Eric Jacobs wrote:
> On Thu, 09 Nov 2006 17:42:08 -0800
> Jed at Webstart <donnelley1 at webstart.com> wrote:
>
>> If you run on a capability infrastructure you can remove the account,
>> but then you think, "Oh my gosh, I wonder where he might have
>> delegated access to some of the resources he had access to?"
>> How do I remove any access that he might have delegated?"
>
> Simple: revoke the proxy that you originally created for the account.
> That proxy has supervisory capacity over anything that is done via
> it. It is capable of enforcing any policy that any security kernel
> could enforce.
Hmmm. How does this work? I understand revoking proxies. I just
don't understand how to do the "supervisory capacity" Must you "pass"
the account to every single call to the kernel? In object oriented
terms,
this would mean that I would have a single interface (collection of
methods)
to the entire kernel. This could be a good thing, but seems rather a
strange
way to do object oriented programming.
In the real world, there are tons of interfaces on the internet. Do
I need
to maintain an account on each interface? How do I prevent people from
merely requesting a new account after their old one is revoked? By
promising
that they'll get a ton of spam on the new account? LOL.
John
More information about the cap-talk
mailing list