[cap-talk] Capabilities - the rub, an account

Karp, Alan H alan.karp at hp.com
Wed Nov 22 11:21:56 CST 2006

Jed wrote:
> Just my point.  However, I was suggesting that we could do better.
> We could insure that only Bob can access what Tyler delegated
> to Bob and only Sue can access what Alan delegated to Sarah
> who delegated it to Sue.
Who is going to enforce that?  Not Tyler.  He doesn't see the request.
Not Bob.  He wants Fred to have access without anyone else's knowledge.
Not Jed.  He doesn't have a trust relationship with Bob.  I'm all for
preventing accidental leakage of rights, but I don't believe you can
prevent purposeful transfers.
> >The problem with most of this discussion on accounts is the 
> assumption
> >that we know who all the people are.
> I disagree.  In many senses it doesn't even matter if we are 
> even people.
> All that matters is that there is an identity and whatever 
> social rules
> we associate with any such identity (e.g. responsibility, etc.).
That's the key question.  What is an identity?  To my mind, an identity
represents a trust relation.  Jed has a trust relation with Tyler.
Tyler has one with Bob.  Jed does not have a trust relation with Bob.
It is reasonable for Jed to refer to Tyler's Bob, but not for Jed to
refer to Bob.  We need to think hard about the meaning of identity.
> I don't believe so.  I believe Web of trust works - technically.

Web of trust is based on the assumption that people have a private key
that is valuable to them so they protect it.  That need not be the case.
Bob may have one key for dealing with Alan, a different one for dealing
with Tyler, etc.  In fact, Bob can have a different key for each
authority he gets from Alan.  Now Bob is free to share the key for a
particular authority with anyone he likes, and there's nothing Jed can
do about it.  

Even if Alan came to know Bob's key from a trusted source, Bob can
simply create a new key and tell Alan that it belongs to his friend
Fred.  Now Bob has a key he can distribute to others.  Jed thinks
requests are coming from Alan's Bob's Fred, but they're really coming
from anyone Bob gave Fred's key to.
> I disagree.  I believe Web of trust can work.  Even beyond that I have
> identities all over the place that have meaning - Google, PayPal,
> Yahoo, REI, Fidelity, etc., etc. that have meaning.  I am not
> "within" those organizations.  I access them over the network.
> There is still meaning.  Most have never had any physical contact
> with me.
I disagree.  When you set up an account at Google, you get a Google
userid/password.  That makes you part of the Google organization.  The
same at PayPal, Yahoo, ...  Once you log into one of those sites, you
are in its environment and controlled by its rules.  To my mind, that
makes you part of that organization, at least while you're logged in to
> I believe identities can work across organizational 
> boundaries - though
> I don't think that discussion will forward our effort at 
> getting at "the rub"
> of what bothers people about capability systems.
"This email is to introduce you to my co-worker Carol.  You should feel
free to give her whatever rights you'd give me.  I've attached her
public key to this email."  Of course, Carol isn't a real person, but
unless you're part of my organization, you can't find that out. 

I contend that the "identification fallacy" is the core of the
difficulty applying identification based access control across
organizational boundaries.  Capability systems don't support the fantasy
that identity is meaningful, and, to my mind, that's the rub.  We need
to expose the fantasy for what it is.  Once the supposed advantages of
IBAC are exposed as chimeras, the advantages of capabilities will be

Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029

More information about the cap-talk mailing list