[cap-talk] SPAM-LOW: Re: Capabilities - the rub, an account
Rob J Meijer
rmeijer at xs4all.nl
Sat Nov 25 09:53:27 CST 2006
> > The typical cap response, is that you *can* do things like attach a
> > revoking or logging proxy to the cap before passing it on. This
> > response does not convince the ACL crowd that caps are as good or
> > better than ACLs, nor do I believe that it should. We need to convince
> > them that that innocent users *will not* pass rights the obvious way.
> That decision doesn't necessarily need to be dictated at the admin level
> though. Sometimes you want to pass a co-equal capability, and sometimes
> you want a revocable version.
The important issue here is I believe is getting the issue of
accountability sollidly anchored in the user his/her brain. If the user
passes an unproxied/unbound version of its own capability, anny incident
with the given capability will lay full acountability with that user, even
if the delegation itself would have been according to pollicy.
Independent if the user wants to pass a revocable capability, I believe
the user wants or should want to pass a capability that implicitly
records (either in a proxy or by using SPKI style cap as data) the
action of delegation for accountability purposes in case of
incidents. I am under the impression that the issues of proportional
and dirrected incident response are under adressed in cap lit, but
recording of delegation truegh proxied/bound delegation seems a
relatively simple measure that seems to allow for it in a very solid
way. If you can get the issue of accountability and incident response
into the users way of thinking (what should not be that hard an
abstraction to get used to), you could be reasonably sure that the user
"will not" pass rights unexplicitly.
More information about the cap-talk