[cap-talk] Capabilities - the rub, an account

Rob J Meijer rmeijer at xs4all.nl
Wed Nov 22 05:17:40 CST 2006


>> While this is of course literally true, I believe it
>> understates the case against object/capability systems.  In
>> identity based ACL systems access is only directly granted
>> through the identity based ACL mechanisms (e.g. Unix).
>> Since programs run as users with their identity (I of course
>> know this non POLA is a problem, please don't jump on me here
>> as I play devil's advocate) there is no issue with separate
>> "principal" identities for running
>> programs (processes, active objects).   Consequently one can determine
>> who has direct access by looking at the ACL (e.g. ugo rwx and
>> group in Unix).
>
> I continue to be puzzled that you of all people should consider the
> tracking of direct access to be important, useful, relevant, or even
> barely interesting. There is a psychological problem that IT people with
> believing that direct access is somehow important, and a psychological
> problem that IT people have does indeed present a barrier to adoption,
> but you seem to be acting as if it were more than a
> pyschological/training/brainwashing impediment.

Although I fully agree that the tracking of 'just' direct access is close to
useless, I feel that it still can be very important for accountability
purposes, although explicitly 'not on its own'.

Imho the question of accountability can not be focused purely on one
single end of the delegation chain. I feel that you need to track both
access 'and' delegation, or better yet implicitly cary the full delegation
chain into any access in order to be able to trace the full delegation
chain.

Only from the full chain of delegations and access can be determened
where accountability must be layed. Thus each act of delegation should
become an implicit part of the thus delegated capability imho in such
a way that the whole chain can be reconstructed for auditing and IR purposes.

Further by doing so you might match the accessing entity to that identified
by the final delegation as a measure against capdata theft. That is,
an entity should only be able to use a capability that was 'explicitly'
delegated to it.

Rob



More information about the cap-talk mailing list