[cap-talk] - Karp - Capabilities - tracking responsibility (Was: Bellizzomi - Users in object/capability systems (was: MLS gone bad, Lampson))

Valerio Bellizzomi devbox at selnet.org
Wed Nov 29 14:24:17 CST 2006

On 29/11/2006, at 10.56, Karp, Alan H wrote:

>Jed wrote:
>> When the capability is accessed I want to know that it was 
>> the capability
>> that Tyler delegated to Bob and that the responsibility lies with Bob
>> as opposed to with Tyler.  For this to work it doesn't 
>> suffice for Tyler to
>> create a revocable capability - even one labeled as being for 
>> Bob - that he
>> then sends (by whatever means) to Bob.  The communication must be
>> such that Bob receives a capability that Tyler never had or 
>> was able to
>> access.
>I am assuming that when Tyler uses the capability it is over a channel
>to Jed authenticated as Tyler.  Bob uses the capability over a channel
>authenticated as Bob.  Since Tyler can't set up a channel to Jed
>pretending to be Bob, there is no way Tyler can blame Bob for Tyler's

Are we talking about "non-repudiation" here ?


More information about the cap-talk mailing list