[cap-talk] IBAC and Horton

Jed Donnelley capability at webstart.com
Thu Jan 11 09:46:41 CST 2007 

At 03:25 PM 1/10/2007, Stiegler, Marc D wrote:
>Alan invented the term IBAC as an analogy to RBAC, which stands for role
>based access control, which is quite the fad in corporate IT these days.
>So a person steeped in RBAC will immediately recognize the concept of
>IBAC, and this gives a smooth flow into ABAC.

Makes sense.

However, consider the case of Horton (the responsibility delegation
mechanism that we've discussed recently on this list).

Isn't that in some sense "IBAC"?  It's based on capabilities and
is fully "ABAC" (if I'm a process/active object and I can communicate
to you, I can send you any permission that I have).  However, for
those who play the "who" game it seems to me that it comes pretty
close to being IBAC in the following senses:

1.  Services can know "who" (identity) is responsible for service
requests, and

2.  Any subject upstream of some delegations ('responsible' delegations
through the Horton protocol) can control access by identity.  That is,
they can remove some and put back others.

Even such upstream entities can't add access for identities who have
never received an "authorization" (capability) via the Horton
protocol.  In that sense Horton (I like that shorthand term,
do others understand what I'm meaning before we've written
it up?) remains faithful to ABAC, but it seems to me that it
comes about as close to IBAC within an ABAC framework as one
can achieve.

If one imagines an organization that manages all it's access
control through an initial Horton delegation to the people in
the organization, then anybody upstream of that initial
delegation (e.g. a sysadmin) can turn off and/or turn on
any of those initial authorizations and any derived
authorizations by identity.

I just thought I'd try to get a reaction from cap-talk to
this approach.  Is this IBAC (bad ;-) or ABAC (good)
or the best of both worlds (which of course is what I'm
shooting for)?  Might this be a means for ABAC to sell
into an IBAC or even RBAC ("who"s can as easily be roles)
oriented world?  In particular allowing modular delegation
(without Horton) within software systems and even to
what can be considered additional identities, but with
suitable administrative controls.

Of course all this must be done efficiently, etc.  I
don't believe that to be a fundamental problem if the
base facility sells.

Any thoughts?

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list