[cap-talk] - Bellizzomi - Users in object/capability systems (was: MLS gone bad, Lampson)
Karp, Alan H
alan.karp at hp.com
Mon Nov 27 18:20:58 CST 2006
> This approach was great for allowing users to make up what amount to
> new groups on the fly. However, this mechanism was subject to the
> criticism that the TCSEC folks leveled at "traditional"
> capability systems.
> Namely there is no auditing with it. Once I give out those
> everyone that I give them to has the exact same capability with the
> same permissions and the same auditing trail. That system did not
> have the feature I suggested recently of making every delegated
> capability different, with a delegation trail and
> independently revocable,
> and communicated in such a way that the sender cannot access the
> delegated capability for proper responsibility tracking.
I assume that all communication is over secure channels. I also assume
that these channels can be mutually authenticating. In that case, all
you need do is keep a log in the messaging layer of messages and the
channel over which they were received. You now have your audit trail.
You can make capabilities separately revocable by associating a "Do Not
Honor" list with each channel authentication. You can get a delegation
trail by a mechanism such as the one you built for Managing Domains.
Namely, associate a c-list with each channel authentication and record
which channel the delegation request came from. None of these require
any changes by the capability creator or user, although the last does
require an additional step to delegate.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Size: 423 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20061127/7753868c/attachment.vcf
More information about the cap-talk