[cap-talk] Capabilities - the rub, an account

Jed at Webstart donnelley1 at webstart.com
Tue Nov 21 20:50:56 CST 2006 

At 05:35 PM 11/21/2006, Karp, Alan H wrote:
>Jed wrote:
> >
> > Now at some point I (who am the only writer) post some information
> > to this object and some time soon I see this sensitive information
> > in some trade rag - shades of the HP board scandal.
> >
>                                 (snip)
> >
> > Read times              Capability              IP
> >
> > 10/15/2006 17:23:10     Alan -> Sarah -> John   12.24.17.236
> > 10/20/2006 13:15:07     Tyler -> Bob            ...
> > 10/22/2006 23:17:45     Alan -> Sarah -> Sue
> > 10/24/2006 09:24:16     Alan -> Sarah -> John
> >
>Jed has created separately revocable capabilities and sent them to Tyler
>and Alan.  Alan has delegated to Sarah, who in turn delegated to John.
>Jed keeps the above log.
>
>Unfortunately for Jed, he has no idea who Sarah and John are.  The fact
>that the log records Sarah is useful to Alan, but not to Jed.  John
>leaks the news.  Jed says, "Alan, you accessed the file on 10/15 at
>17:23, just an hour before the story hit the news.  You're fired."  Alan
>says to Jed, "It wasn't me.  I delegated to my consultant.", and Alan
>says to Sarah, "You're going to get me fired by leaking that news."
>Sarah either turns in John or takes the blame rather than reveal their
>tryst.

Just my point.  However, I was suggesting that we could do better.
We could insure that only Bob can access what Tyler delegated
to Bob and only Sue can access what Alan delegated to Sarah
who delegated it to Sue.

>Very silly, but the best you can do in a distributed system is relative
>naming and relative blaming.  You can only do better when you have a
>centralized identity manager, which becomes a single point of
>vulnerability.

I don't believe so.  I believe Web of trust works - technically.  If 
a capability
access used the private key match to:

http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xB70B7F99

in an access exchange then I think you'd have a good case to come after
me for responsibility.  Want to sign my PGP key Alan?  I'll verify the
hash when we next meet...

>The problem with most of this discussion on accounts is the assumption
>that we know who all the people are.

I disagree.  In many senses it doesn't even matter if we are even people.
All that matters is that there is an identity and whatever social rules
we associate with any such identity (e.g. responsibility, etc.).

>In a distributed system that
>crosses organizational boundaries we don't.  The trust relationships are
>between Jed and Alan and between Alan and Sarah.  If Jed tries to cut
>off Sarah but not Alan, Alan will just delegate to Jenny, Sarah's new
>identity.

I'm not talking about trying to block delegation - as we know is
impossible between communicators.  What I'm trying to do is
to get better auditing/tracking of delegation.  I believe that is
possible.  Even to an extent that might mollify the identity/acl
folks.

>That being the case, Jed should keep a log that looks like
>
> > Read times              Capability      IP
> >
> > 10/15/2006 17:23:10     Alan                  12.24.17.236
> > 10/20/2006 13:15:07     Tyler
> > 10/22/2006 23:17:45     Alan
> > 10/24/2006 09:24:16     Alan
> >
>Alan should keep a log that looks like
>
> > Read times              Capability      IP
> >
> > 10/15/2006 17:23:10     Sarah                 83.19.55.129
> > 10/22/2006 23:17:45     Sarah
> > 10/24/2006 09:24:16     Sarah
> >
>And so on.  Notice that these logs are the same whether the capability
>is delegated or not.

I think we can do better.  We should discuss this.  Thanks for picking
up on the idea though.

>Accounts are an illusion unless you are within an organization that
>gives the identities meaning.

I disagree.  I believe Web of trust can work.  Even beyond that I have
identities all over the place that have meaning - Google, PayPal,
Yahoo, REI, Fidelity, etc., etc. that have meaning.  I am not
"within" those organizations.  I access them over the network.
There is still meaning.  Most have never had any physical contact
with me.

>In that case, you have other means to
>track miscreants.  For example, in a single machine, the OS tags each
>request with a specific process ID that can be tied back to the UID that
>created it.  In a distributed system within an enterprise, you can
>require that each request be tagged with an identity that appears in an
>enterprise-wide database.  Neither of these approaches is viable when
>crossing organizational boundaries.

I believe identities can work across organizational boundaries - though
I don't think that discussion will forward our effort at getting at "the rub"
of what bothers people about capability systems.

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list