[cap-talk] Capabilities - the rub, an account
Rob J Meijer
rmeijer at xs4all.nl
Fri Nov 17 05:26:08 CST 2006
> This topic does seem to keep recurring here. Points:
> 1. It makes no difference whether you are using caps or acls, you cannot
> tell who has access, you can only tell who was given a direct enough
> access such that you can hold them accountable. Those who have direct
> access can proxy, thereby spreading access beyond your control but not
> spreading accountability beyond your control. The beginning of sanity is
> for everyone, both people on this list and computer security pros in
> general, to understand this. Accountability is what you really wanted
> anyway. So the 2 requirements deserve to be rewritten to reflect what
> people actually want and actually can get (which happen to be the same)
> rather than what they think they have and think they can get (which are
> similar though different). A first necessary step toward security is
> discarding one's illusions, for the attackers will discard your
> illusions whether you do or not.
I fully agree that accountability is the main issue.
I however believe the fact that usage and acountability are much more
disjunct in capability disipline than they are in acl is a big issue.
I think for this reason that using things like x509 (who are you) and/or
spki (who gave you this authority) is greatly beneficial to the issue of
accountability, and is very much under used imho.
More information about the cap-talk