[cap-talk] Capabilities - the rub (was: NCSC TCSEC)

John Carlson john.carlson3 at sbcglobal.net
Thu Nov 9 22:51:09 CST 2006


On Nov 9, 2006, at 7:31 PM, Eric Jacobs wrote:

> On Thu, 09 Nov 2006 17:42:08 -0800
> Jed at Webstart <donnelley1 at webstart.com> wrote:
>
>> If you run on a capability infrastructure you can remove the account,
>> but then you think, "Oh my gosh, I wonder where he might have
>> delegated access to some of the resources he had access to?"
>> How do I remove any access that he might have delegated?"
>
> Simple: revoke the proxy that you originally created for the account.
> That proxy has supervisory capacity over anything that is done via
> it. It is capable of enforcing any policy that any security kernel
> could enforce.
Hmmm.  How does this work?  I understand revoking proxies.  I just
don't understand how to do the "supervisory capacity"   Must you "pass"
the account to every single call to the kernel?  In object oriented  
terms,
this would mean that I would have a single interface (collection of  
methods)
to the entire kernel.  This could be a good thing, but seems rather a  
strange
way to do object oriented programming.

In the real world, there are tons of interfaces on the internet.  Do  
I need
to maintain an account on each interface?  How do I prevent people from
merely requesting a new account after their old one is revoked?  By  
promising
that they'll get a ton of spam on the new account?  LOL.


John



More information about the cap-talk mailing list