[cap-talk] Access Control for Beagles (was: Declaring a victory)

Mark Miller erights at gmail.com
Sun Aug 12 20:26:13 EDT 2007 

On 8/12/07, Norman Hardy <norm at cap-lore.com> wrote:
> My stuff below is vague; I am not sure I am asking precise questions.
> [...]
> In short I am not sure what we are discussing in this thread.

Your imprecision reflects our need to clarify. I'll try to do that here.

> At which level is the distinction made between between principals?
> If principal X is using code written by Y to accomplish the charter
> of X, who is the principal?

X. This is *not* because anyone, including X, should assume that Y's
code is acting on X's behalf. Rather, it is because, if Y's code in
this context damages Z's assets, Z will hold X responsible. X may very
well hold Y responsible, but that's X's business, not Z's.

> If X invokes a properly confined object that obeys code by Y, is that
> delegation?

Generally not.

> It seems as we are sliding back to the assumption that all of the
> code that a principle X uses does just what X wants it to do.

No.

> Sometimes we say that X relies on all of the code that X invokes.

We are not saying this. Imagine that Y is a beagle breeder. Y's code
is a beagle that X buys. If X's beagle bites Z, Z will sue X. If X
doesn't know how aggressive this cute little beagle might be, it is
X's responsibility to use POLA (fences, leashes, etc) to keep his
beagle from biting Z.

Historically, we've had only identity-based systems in which entities
could be held responsible, or authorization-based systems, in which
entities could act responsibly.
Horton allows Z to hold X responsible by use of coarse-grain
identity-based controls.
Horton does not interfere with X's use of fine-grained authorizations
in order to act responsibly.

> A capability platform is so that X can correctly rely in code Z while
> knowing less about Z than if the platform were conventional.
> This influences the concept of "rely upon"; it is relative to the
> platform we assume.

I'm not sure if we're using "rely" in the same sense.


> I think the magic of Horton is being able to say (and mean) to
> another agency:
>     Do your magic on this here thing, (but I will have a record of
> what it is that you have done.)

That's the logging aspect. The other aspect is to enforce policy based
on such records, such as Z no longer inviting X into his house after
being bitten.

-- 
Text by me above is hereby placed in the public domain

    Cheers,
    --MarkM

More information about the cap-talk mailing list