[cap-talk] - Karp - Capabilities - tracking responsibility (Was: Bellizzomi - Users in object/capability systems (was: MLS gone bad, Lampson))
devbox at selnet.org
Thu Nov 30 18:38:58 CST 2006
On 29/11/2006, at 16.07, Karp, Alan H wrote:
>Valerio Bellizzomi wrote:
>> >I am assuming that when Tyler uses the capability it is over a
>> >to Jed authenticated as Tyler. Bob uses the capability over a
>> >authenticated as Bob. Since Tyler can't set up a channel to Jed
>> >pretending to be Bob, there is no way Tyler can blame Bob for Tyler's
>> Are we talking about "non-repudiation" here ?
>No, audit for assigning responsibility. Non-repudiation assures Jed
>that Bob cannot deny having taken an action that he actually took.
>Audit for assigning responsibility assures Tyler that Jed won't blame
>Tyler for actions taken by Bob, even if Bob uses a capability that Tyler
I don't see where is the difference with non-repudiation, if Bob can't
deny having taken an action that he actually took, how can Jed blame Tyler
for an action taken by Bob?
More information about the cap-talk