[cap-talk] Wikipedia: Object-capability model - communicating conspirators?

Jed Donnelley capability at webstart.com
Tue Jan 9 02:59:48 CST 2007 

At 09:39 PM 1/8/2007, Bill Frantz wrote:
>...
>My goal on the committee <SPKI> was to make capability
>discipline possible, not to require it.  I was dealing
>with the art of the politically possible, and at that,
>I lost the "do not delegate" argument.

Ha!  Now that's one I would have loved to be in on.  Just to make sure
I'm on the same page, I assume you mean pointing out the obvious
possibility of communicating conspirators:

http://www.erights.org/elib/capability/conspire.html

and thus that if two subjects can communicate bidirectionally
you may as well allow them to share their permissions.  Of
course allowing them to do so efficiently and effectively
supplies all the value of delegation (modular systems, etc.,
etc.) at the same time providing the maximum protection
possible from POLA.

What's not to like?  You can't stop it in any case and if you
make it effective you get much more modular systems with more
tightly controlled sharing.

Given all that value, I guess it makes perfect sense that a committee
dealing with the "politically possible" would come out against it...

Now that we can demonstrate a facility for delegating responsibility
with identity tracking with that same base "pure capability" delegation,
I wonder if such committees of the politically possible will still
find objections.

Hey BillF, I don't suppose Forest Baskett was on that committee?
I initially wrote up my notes about the "inalienable right
to communicate capabilities" partly in response to a
"do not delegate" bit that Baskett and company put into
the Demos "ports" (like capabilities) system that died an
early death at Los Alamos (not for technical reasons I expect):

Baskett, F,, J. H. Howard, and J. T. Montague,
"Task Communication in Demos,"
in Proc. of the Sixth Symposium on Operating System
Principles, Purdue University, November 16-18, 1977
(in ACM Operating Systems Review 11(5), 1977), pp. 23-31.

Hmmm.  I think I need to review the thread that MarkM refers to:

http://www.eros-os.org/%7Emajordomo/e-lang/1187.html

which he mentions in the context of "Where Capabilities Fall Short".

Who first coined the phrase "communicating conspirators"?
When was that?  Did that start with that page of yours MarkM?

I wasn't involved in these lists (e-lang or cap-talk) at the
time that thread evolved.  I'd like to see if the "discipline"
I suggest of considering communicating extra terrestrial
identities might contribute to that discussion.  It certainly
would remove the possibility of sex ;-)  I looked over that
thread briefly and still haven't found any essential mechanism
that capabilities aren't sufficient for.

In fact (ding), when I read what MarkM wrote on the communicating
conspirators page:

"Ralph Hartley establishes that other security architectures,
including some possible ACL systems, can enforce a subtle
prohibition, having to do with delegation in the Communicating
Conspirators scenario, that capabilities can neither express
nor enforce: for Alice to prohibit Bob from delegating the
power to Mallet in such a way that Bob does not have the
ability to revoke that delegation."

I believe this is just what we established that pure capabilities
CAN do with the delegation of responsibility mechanism that we
discussed recently on the cap-talk list.

Hmmm.  Maybe not.  I'm not quite sure I understand the above
point.  If Bob delegates to Mallet by proxy, then it seems
that Bob can revoke that delegation regardless of any effort
on Alice's part - unless of course Alice communicates directly
to Mallet or somehow allows Mallet access via a channel that
isn't controlled by Bob.

I wonder if I could ask MarkM to explain a bit more what he
means by "for Alice to prohibit Bob from delegating the
power to Mallet in such a way that Bob does not have the
ability to revoke that delegation."  I did look at the
examples and can probably spend some more time with them,
but I think it would help if I understood the basic idea
better - at least as MarkM understands it.

This may be relevant to our discussion of delegation of
responsibility.  I think we now agree that:

What Alice and Bob can do together is for Alice to delegate
to Bob and Bob to Mallet in such a way that even if Bob
wishes to revoke Mallet's access or if Bob's access is
revoked, Alice can override that revocation and allow
Mallet continued access.  Also with the responsibility
tracking mechanism, Alice and Bob can work together to
identify "who" (Horton) was responsible for actions
permitted by a capability - something else that ACLs
seem to provide (as they are based on identities)
but, given communicating conspirators, we know the
limitations of.

I don't believe an ACL system (let me say a more
'pure' ACL system) can do any better.

I believe that a capability system (by that I mean a
capability system in the general sense that I describe
in Managing Domains:

http://www.webstart.com/jed/papers/Managing-Domains/

where a "capability" system is a generalized mechanism
for communicating permissions digitally) can do anything
that an ACL system can do that's possible in terms
of access control.  One may have to establish ground
rules that access is only by digital communication
identified by something like a public/private key
pair.

Of course in Managing Domains I describe a "capability"
implementation (communicable permissions in accord with
the "inalienable right" to communicate such permissions)
that's implemented via an ACL mechanism, so for me
these notions are really "just" implementations of
permission communication.  I believe the communicating
conspirators opportunity (as I prefer to call it vs.
calling it a "problem") stands above all such mechanisms.
It's why as MarcS quipped, "permissions want to be
communicated" (or something like that).

Hey, cool.  If one now Googles for "Managing Domains",
my paper starting with that title now comes up first in
the results.  I expect that's due to the discussions on
the cap-talk list.  "DCCS" comes up on the first page
as well.  I also find "capability myths" via Google.
Go cap-talk!  Having that Web archive is really helping.

Incidentally, does anybody know how this works:

http://acronyms.thefreedictionary.com/NLTSS

?  How did they get that acronym mapping?  I
assume it was automated.  Is Google's spidering
really at the base of much of this sort of mechanism?

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list