[cap-talk] Ben Laurie's Motivating Example

Jed Donnelley JEDonnelley at lbl.gov
Wed Aug 15 22:50:53 EDT 2007

----- Original Message -----
From: Ben Laurie <benl at google.com>
Date: Wednesday, August 15, 2007 9:37 am
Subject: Re: [cap-talk] Ben Laurie's Motivating Example
To: jed at nersc.gov, "General discussions concerning capability systems." <cap-talk at mail.eros-os.org>

> On 8/15/07, Jed Donnelley <JEDonnelley at lbl.gov> wrote:
> > ----- Original Message -----
> > From: Toby Murray <toby.murray at comlab.ox.ac.uk>
> > Date: Wednesday, August 15, 2007 3:55 am
> > Subject: [cap-talk] Ben Laurie's Motivating Example
> > To: cap-talk at mail.eros-os.org > >
> > > Ben Laurie has recently posted an interesting "motivating
> > > example" (although motivating what we're yet to find out) on 
> his blog.
> > > It's an interesting "challenge problem" for security and access
> > > controlin particular.
> > > http://feeds.feedburner.com/~r/links/ZvUZ/~3/144078467/
> > ...
> >
> > > It's one of those examples that appears to scream "capabilities"
> > > straight away; who's current reliance on IBAC is the source of the
> > > challenge problem, not its solution.
> > >
> > > However, trying to come up with a way in which a solution could be
> > > implemented is nonetheless not immediately obvious. For anyone 
> who's> > interested, it'd be great to get some discussion going on 
> this one.
> > >
> > > Cheers
> > >
> > > Toby
> >
> > I agree that this example 'screams' capabilities - and it points 
> to the
> > exact problem that the "CapDoc" mechanism is intended to solve.
> > Since 'CapDoc' is really just wideword and/or Tyler's Web
> > Calculus/YURL (name?) mechanism with some additional
> > facilities like 'deep attenuation' and Horton added, please
> > imagine that structure.
> >
> > To solve Ben Laurie's problem imagine that both Facebook and
> > Flickr make their services available with CapDoc capabilities.
> > However, in this case a statement like:
> >
> > 'I have told Facebook that his Facebook account is allowed to
> > see my "friends only" pictures.'
> >
> > seems an unwise and unnecessarily broad sharing of
> > authority.  Does the above suggest that Facebook and
> > Flickr know about each others accounts and are somehow
> > able to enforce each others exported rights?
> You are entitled to wiggle the details around as you please, so long
> as the abstract problem is solved :-)
> >
> > With the CapDoc approach of course either Facebook or
> > Flickr can include the other services as capabilities in their
> > exported objects.  No "accounts" are needed except
> > perhaps for responsibility tracking and identity based
> > access control - as Horton supports.
> >
> > To me this example seems simple with CapDoc.  If
> > others see a problem then I'll certainly work to explain
> > how it works in 'CapDoc' as this seems exactly the sort
> > of thing CapDoc is intended to support.
> Please explain how this solution preserves my privacy.

Certainly - as I understand it of course.

My assumptions are that "Facebook" provides documents
along the lines of Wideword that can include text and ocaps
to other objects such as the Flickr picturespages'. or other
Facebook '.  I assume that both Facebook and Flickr support
Horton and that Facebook supports the 'deep attenuation'
property for pulling capabilities (e.g. wideword/YURL links)
out of it's documents.

<note that for the duration of this message I use the
terms "link", "capabuility", and "ocap" interchangeably>

Finally I assume that I have a rather simple Horton
delegating 'email' system that allows me to send messages
to others and have the capabilities that I send as links
in those messages undergo a Horton delegation transformation
during the send.

Now I create my facebook main page for myself.  Here is
a read-only ocap to this top level page that for the purposes
of this exposition you can assume that I have sent to
you, my good friends, through a Horton transforming


To follow through with this example you of course have
to use your imagination a bit because wideword doesn't
support Horton or deep attenuation.  Imagine that
I sent a message to each of you (my friends) that contained
a capability like the above that was transformed via
Horton into such a capability that granted read-only
access to my top level personal "Facebook" page.
Further suppose that the capability that I sent to
you was read-only and deeply attenuated so that
all capabilities derived from it were read-only.

Take the above link to look at the content.  If I've
worked wideword correctly, the above link should
actually be read-only and the sub link (capability)
should also be read-only - though this is true
even in my page because wideword doesn't
in fact support deep attenuation.

Also, the capability (link) that you receive is
the same read-only one that I sent, not a
Horton transformed one indicating that it
has been delegated to you individually.
This another place where imagination is

If you look at the above page you will see inside
that document a capability to my public page.
In my copy of my personal page that link is
of course read-write, but by attenuation of
the read-only copy of the capability that I give
to you, you only get read-only access to it
(again by imagination).

Also in the top level "friends-only" page you
will find a link to some personal content.  Imagine
that to be another Facebook page containing
links to Flickr pictures - again attenuated
to read-only.

At this point if you are imagining as I am (namely
that all my initial assumptions are correct), each
of you has access to my friends-only personal
page and you can look into it and pull out content
such as the "pictures" - that you can assume to be
another Facebook page with capabilities to
Flickr pictures.  You can pull out the pictures,
but others cannot.  Any pictures that are so
pulled out I can see logs for the fetching
(as a delegation) and as they are accessed.

Note that I can interrogate each of my Facebook
pages or my Flickr pictures to determine who
those documents/pictures have been delegated
to.  I of course also get a log of accesses to
these objects by delegate, including the
delegation trail.

If at any point I feel that the access to this
personal content is being abused by any
of you, I can revoke your access individually.

To me this provides quite effective privacy.
Certainly far more than I have for anything
else that  can be so combined on the Web

If you have concerns or issues with such a
mechanism, please share them with the list
and we can work through them.

<note - it appears that wideword has
gone in a somewhat different direction
that I didn't take time to understand.  I
beg your indulgence in ignoring these
new features and imagining it instead
extended as I suggest above>

<also note - this is my last night in New
York City, and I don't know if I will have
Internet access between tomorrow and
next Saturday or Sunday.  Sorry about
that.  Of course if I do (hopefully) I will
respond promptly to any postings of

Thanks for taking time to work through
this example of "CapDoc"!

--JED  http://www.nersc.gov/~jed/

More information about the cap-talk mailing list