[cap-talk] - Karp - Capabilities - tracking responsibility (Was: Bellizzomi - Users in object/capability systems (was: MLS gone bad, Lampson))
Jed at Webstart
donnelley1 at webstart.com
Wed Nov 29 11:16:23 CST 2006
At 08:56 AM 11/29/2006, Karp, Alan H wrote:
>If you want to track delegations, then keep a mapping per channel. If
>Tyler wants to delegate a capability to Bob, Tyler asks Jed to make an
>entry in the table used for channels authenticated as Bob. Client
>Utility used this kind of explicit introduction, and I believe you (Jed)
>used a similar scheme in one of your systems. Jed can record this
>request in the mapping table. Tyler can then pass the capability to
>Bob. Tyler can revoke Bob's use of the capability by telling Jed to
>remove the entry.
Since I'm not following this fully (I hope we get to discuss it soon),
let me just ask: It's easy to see in the above how Tyler can revoke
Bob's use of the permission. However, can some third party (e.g.
an auditor) distinguish accesses by Bob from those by Tyler in
such a way as to exonerate Tyler from any actions performed
by Bob? In that case I'll be interested to hear more how that works.
More information about the cap-talk