[cap-talk] Ben Laurie's Motivating Example

Jed Donnelley JEDonnelley at lbl.gov
Wed Aug 15 11:14:06 EDT 2007 

----- Original Message -----
From: Toby Murray <toby.murray at comlab.ox.ac.uk>
Date: Wednesday, August 15, 2007 3:55 am
Subject: [cap-talk] Ben Laurie's Motivating Example
To: cap-talk at mail.eros-os.org

> Ben Laurie has recently posted an interesting "motivating
> example" (although motivating what we're yet to find out) on his blog.
> It's an interesting "challenge problem" for security and access 
> controlin particular.
> http://feeds.feedburner.com/~r/links/ZvUZ/~3/144078467/
...

> It's one of those examples that appears to scream "capabilities"
> straight away; who's current reliance on IBAC is the source of the
> challenge problem, not its solution. 
> 
> However, trying to come up with a way in which a solution could be
> implemented is nonetheless not immediately obvious. For anyone who's
> interested, it'd be great to get some discussion going on this one.
> 
> Cheers
> 
> Toby

I agree that this example 'screams' capabilities - and it points to the
exact problem that the "CapDoc" mechanism is intended to solve.
Since 'CapDoc' is really just wideword and/or Tyler's Web
Calculus/YURL (name?) mechanism with some additional
facilities like 'deep attenuation' and Horton added, please
imagine that structure.

To solve Ben Laurie's problem imagine that both Facebook and
Flickr make their services available with CapDoc capabilities.
However, in this case a statement like:

'I have told Facebook that his Facebook account is allowed to
see my “friends only” pictures.'

seems an unwise and unnecessarily broad sharing of
authority.  Does the above suggest that Facebook and
Flickr know about each others accounts and are somehow
able to enforce each others exported rights?

With the CapDoc approach of course either Facebook or
Flickr can include the other services as capabilities in their
exported objects.  No "accounts" are needed except
perhaps for responsibility tracking and identity based
access control - as Horton supports.

To me this example seems simple with CapDoc.  If
others see a problem then I'll certainly work to explain
how it works in 'CapDoc' as this seems exactly the sort
of thing CapDoc is intended to support.

--JED  http://www.nersc.gov/~jed/

More information about the cap-talk mailing list