[cap-talk] Ben Laurie's Motivating Example
Mark Miller
erights at gmail.com
Wed Aug 15 11:51:22 EDT 2007
On 8/15/07, Jed Donnelley <JEDonnelley at lbl.gov> wrote:
> I agree that this example 'screams' capabilities - and it points to the
> exact problem that the "CapDoc" mechanism is intended to solve.
> Since 'CapDoc' is really just wideword and/or Tyler's Web
> Calculus/YURL (name?) mechanism with some additional
> facilities like 'deep attenuation' and Horton added, please
> imagine that structure.
>
> To solve Ben Laurie's problem imagine that both Facebook and
> Flickr make their services available with CapDoc capabilities.
> However, in this case a statement like:
>
> 'I have told Facebook that his Facebook account is allowed to
> see my "friends only" pictures.'
>
> seems an unwise and unnecessarily broad sharing of
> authority. Does the above suggest that Facebook and
> Flickr know about each others accounts and are somehow
> able to enforce each others exported rights?
This sentence by itself does not. But yes, this is the kind of
question the overall scenario is trying to raise. Specifically, I
suggest we take to question to mean: how can we get the functionality
users would desire in such a scenario, but avoid any need for Flickr
and Facebook to rely on each other to enforce their own security?
> With the CapDoc approach of course either Facebook or
> Flickr can include the other services as capabilities in their
> exported objects. No "accounts" are needed except
> perhaps for responsibility tracking and identity based
> access control - as Horton supports.
>
> To me this example seems simple with CapDoc. If
> others see a problem then I'll certainly work to explain
> how it works in 'CapDoc' as this seems exactly the sort
> of thing CapDoc is intended to support.
Please do. I think it would be great to see this example explained in
plain terms, accessible to readers outside cap-talk. I suggest that it
be taken in two phases: first purely ABAC, with no Horton-like
mechanism in the middle. I believe this simpler scenario should be
adequate to answer everything in the original challenge. Second, with
Horton inserted in between the players whose logic was already
explained, to show how Horton adds reactive IBAC controls
non-disruptively.
Another extension to the scenario that would be interesting: Facebook
doesn't even have access to the Flickr photos that its users see
rendered on their Facebook pages. The Facebook pages contain links to
sealed boxes containing the Flickr images. Flickr users get unsealers
that allows Flickr's Javascript components in their user's browser's
Facebook page containers to unseal these images and show them inline
in the Facebook pages. But without the containing Facebook Javascript
being able to alter these Flickr components to steal these photos.
Note: the above scenario does *not* need a trusted path between the
contained component and the user: I am not requiring above that the
user has a way to tell that he's looking at a photo that genuinely
came from Flickr, as opposed to a photo that Facebook substituted.
This trusted path problem is hard, and probably not realistic to try
to solve in the context of this scenario.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list