[cap-talk] - Karp - Capabilities - tracking responsibility (Was: Bellizzomi - Users in object/capability systems (was: MLS gone bad, Lampson))
Valerio Bellizzomi
devbox at selnet.org
Wed Nov 29 14:24:17 CST 2006
On 29/11/2006, at 10.56, Karp, Alan H wrote:
>Jed wrote:
>>
>> When the capability is accessed I want to know that it was
>> the capability
>> that Tyler delegated to Bob and that the responsibility lies with Bob
>> as opposed to with Tyler. For this to work it doesn't
>> suffice for Tyler to
>> create a revocable capability - even one labeled as being for
>> Bob - that he
>> then sends (by whatever means) to Bob. The communication must be
>> such that Bob receives a capability that Tyler never had or
>> was able to
>> access.
>>
>I am assuming that when Tyler uses the capability it is over a channel
>to Jed authenticated as Tyler. Bob uses the capability over a channel
>authenticated as Bob. Since Tyler can't set up a channel to Jed
>pretending to be Bob, there is no way Tyler can blame Bob for Tyler's
>actions.
Are we talking about "non-repudiation" here ?
val
More information about the cap-talk
mailing list