[cap-talk] Capabilities - the rub, an account

Karp, Alan H alan.karp at hp.com
Tue Nov 21 19:35:18 CST 2006

Jed wrote:
> Now at some point I (who am the only writer) post some information
> to this object and some time soon I see this sensitive information
> in some trade rag - shades of the HP board scandal.
> Read times              Capability              IP
> 10/15/2006 17:23:10     Alan -> Sarah -> John
> 10/20/2006 13:15:07     Tyler -> Bob            ...
> 10/22/2006 23:17:45     Alan -> Sarah -> Sue
> 10/24/2006 09:24:16     Alan -> Sarah -> John
Jed has created separately revocable capabilities and sent them to Tyler
and Alan.  Alan has delegated to Sarah, who in turn delegated to John.
Jed keeps the above log.  

Unfortunately for Jed, he has no idea who Sarah and John are.  The fact
that the log records Sarah is useful to Alan, but not to Jed.  John
leaks the news.  Jed says, "Alan, you accessed the file on 10/15 at
17:23, just an hour before the story hit the news.  You're fired."  Alan
says to Jed, "It wasn't me.  I delegated to my consultant.", and Alan
says to Sarah, "You're going to get me fired by leaking that news."
Sarah either turns in John or takes the blame rather than reveal their

Very silly, but the best you can do in a distributed system is relative
naming and relative blaming.  You can only do better when you have a
centralized identity manager, which becomes a single point of

The problem with most of this discussion on accounts is the assumption
that we know who all the people are.  In a distributed system that
crosses organizational boundaries we don't.  The trust relationships are
between Jed and Alan and between Alan and Sarah.  If Jed tries to cut
off Sarah but not Alan, Alan will just delegate to Jenny, Sarah's new

That being the case, Jed should keep a log that looks like 

> Read times              Capability      IP
> 10/15/2006 17:23:10     Alan
> 10/20/2006 13:15:07     Tyler            
> 10/22/2006 23:17:45     Alan 
> 10/24/2006 09:24:16     Alan
Alan should keep a log that looks like

> Read times              Capability      IP
> 10/15/2006 17:23:10     Sarah     
> 10/22/2006 23:17:45     Sarah
> 10/24/2006 09:24:16     Sarah
And so on.  Notice that these logs are the same whether the capability
is delegated or not.

Accounts are an illusion unless you are within an organization that
gives the identities meaning.  In that case, you have other means to
track miscreants.  For example, in a single machine, the OS tags each
request with a specific process ID that can be tied back to the UID that
created it.  In a distributed system within an enterprise, you can
require that each request be tagged with an identity that appears in an
enterprise-wide database.  Neither of these approaches is viable when
crossing organizational boundaries.
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029

More information about the cap-talk mailing list