[cap-talk] - Karp - Capabilities - tracking responsibility (Was: Bellizzomi - Users in object/capability systems (was: MLS gone bad, Lampson))

Valerio Bellizzomi devbox at selnet.org
Thu Nov 30 18:38:58 CST 2006

On 29/11/2006, at 16.07, Karp, Alan H wrote:

>Valerio Bellizzomi wrote:
>> >I am assuming that when Tyler uses the capability it is over a
>> >to Jed authenticated as Tyler.  Bob uses the capability over a
>> >authenticated as Bob.  Since Tyler can't set up a channel to Jed
>> >pretending to be Bob, there is no way Tyler can blame Bob for Tyler's
>> >actions.
>> Are we talking about "non-repudiation" here ?
>No, audit for assigning responsibility.  Non-repudiation assures Jed
>that Bob cannot deny having taken an action that he actually took.
>Audit for assigning responsibility assures Tyler that Jed won't blame
>Tyler for actions taken by Bob, even if Bob uses a capability that Tyler
>gave him.

I don't see where is the difference with non-repudiation, if Bob can't
deny having taken an action that he actually took, how can Jed blame Tyler
for an action taken by Bob?


More information about the cap-talk mailing list