[cap-talk] Don't understand capabilities

Mark S. Miller markm at cs.jhu.edu
Fri Oct 27 00:49:47 CDT 2006 

Charles Landau wrote:
>> E1 An URL may be a capability.  This one for example (in a 
>> non-indexable directory):
>>  http://www.notatla.org.uk/MISC/cap-talk/2f065fcf1cf9c77aad421a6ae0dc02a835b94243.html
> 
> E1 is a complex example. Basically, a URL is a capability only if you 
> assume it is unguessable (non-forgeable) and its internal structure 
> (bits) are not observed by the user.


Revealing an unguessable secret would serve the authorization requirement of a 
cryptographic capability, but only if we first ensure the authentication 
requirement[1], i.e., the Y property[2], so that this secret is only revealed 
to the designated target. (Actually, the example URL above is even worse. 
Since it says "http:", we can assume its secret will shortly be revealed to 
all eavesdroppers on the network.)

If we add to the URL a fingerprint -- a cryptographic hash of the public key 
of the designated target's platform, and if we check that an alleged target 
handshakes to prove knowledge of the private key, setting up an end-to-end 
connection with that target, then we have the Y property. Only then is it safe 
to reveal the authorizing secret on this connection.

Other adequate cryptographic representations of distributed capabilities have 
been proposed and/or implemented, and some are arguably better. But the above 
is one of the simplest adequate solutions.

In any case, even if we ensure by other means that no secrets are revealed to 
the wrong party, a cryptographic cap protocol must still enable its holder to 
authenticate that an alleged target is the designatee. Cryptographic caps 
therefore must be self-authenticating designators[2]. In the standard 
scenario, Bob's platform must be able to ensure that the Carol that Bob 
connects to is the Carol that Alice meant to introduce Bob to. I'm always 
surprised how often this property is overlooked when discussing capabilities.


[1] Chapter 7 of <http://www.erights.org/talks/thesis/>.
[2] http://www.waterken.com/dev/YURL/Definition/

-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the cap-talk mailing list