[cap-talk] Ben Laurie's Motivating Example
benl at google.com
Wed Aug 15 12:36:55 EDT 2007
On 8/15/07, Jed Donnelley <JEDonnelley at lbl.gov> wrote:
> ----- Original Message -----
> From: Toby Murray <toby.murray at comlab.ox.ac.uk>
> Date: Wednesday, August 15, 2007 3:55 am
> Subject: [cap-talk] Ben Laurie's Motivating Example
> To: cap-talk at mail.eros-os.org
> > Ben Laurie has recently posted an interesting "motivating
> > example" (although motivating what we're yet to find out) on his blog.
> > It's an interesting "challenge problem" for security and access
> > controlin particular.
> > http://feeds.feedburner.com/~r/links/ZvUZ/~3/144078467/
> > It's one of those examples that appears to scream "capabilities"
> > straight away; who's current reliance on IBAC is the source of the
> > challenge problem, not its solution.
> > However, trying to come up with a way in which a solution could be
> > implemented is nonetheless not immediately obvious. For anyone who's
> > interested, it'd be great to get some discussion going on this one.
> > Cheers
> > Toby
> I agree that this example 'screams' capabilities - and it points to the
> exact problem that the "CapDoc" mechanism is intended to solve.
> Since 'CapDoc' is really just wideword and/or Tyler's Web
> Calculus/YURL (name?) mechanism with some additional
> facilities like 'deep attenuation' and Horton added, please
> imagine that structure.
> To solve Ben Laurie's problem imagine that both Facebook and
> Flickr make their services available with CapDoc capabilities.
> However, in this case a statement like:
> 'I have told Facebook that his Facebook account is allowed to
> see my "friends only" pictures.'
> seems an unwise and unnecessarily broad sharing of
> authority. Does the above suggest that Facebook and
> Flickr know about each others accounts and are somehow
> able to enforce each others exported rights?
You are entitled to wiggle the details around as you please, so long
as the abstract problem is solved :-)
> With the CapDoc approach of course either Facebook or
> Flickr can include the other services as capabilities in their
> exported objects. No "accounts" are needed except
> perhaps for responsibility tracking and identity based
> access control - as Horton supports.
> To me this example seems simple with CapDoc. If
> others see a problem then I'll certainly work to explain
> how it works in 'CapDoc' as this seems exactly the sort
> of thing CapDoc is intended to support.
Please explain how this solution preserves my privacy.
> --JED http://www.nersc.gov/~jed/
> cap-talk mailing list
> cap-talk at mail.eros-os.org
More information about the cap-talk