[cap-talk] IBAC and Horton

Jed Donnelley capability at webstart.com
Thu Jan 11 13:02:26 CST 2007 

At 09:02 AM 1/11/2007, Karp, Alan H wrote:
>Jed wrote:
> >
> > Isn't that in some sense "IBAC"?  It's based on capabilities and
> > is fully "ABAC" (if I'm a process/active object and I can communicate
> > to you, I can send you any permission that I have).  However, for
> > those who play the "who" game it seems to me that it comes pretty
> > close to being IBAC in the following senses:
> >
>The distinction I make between IBAC and ABAC is whether the identity is
>used to decide whether or not to honor an invocation.  The identity of
>the requester always is in IBAC.  It is not in ABAC.

Except:

>Actually, that's
>not exactly true.  Identity can be used in ABAC, for example to revoke
>the rights granted to an individual, but that is not necessarily the
>identity of the requester.

That second was exactly my point.  Using Horton allows us to
make access decisions based on identity (the "who" in Horton),
in so far as such distinctions are meaningful in the context of ABAC
(capability) access control - namely, fully recognizing the reality of
communicating conspirators and fully appreciating the
value (POLA + cooperation) of supporting effective delegation
wherever bidirectional communication is possible.  I believe what
it really comes down to is that ABAC + Horton functionally
provides IBAC/RBAC with the removal of any "do not delegate" provision
between bidirectionally communicating subjects, thereby providing the
ability to do POLA at the level of software modules.

I'm arguing that if you take the goals of IBAC (or RBAC - doesn't
matter at this level) at the people level and add the value of
ABAC for object level delegation you get a capability system
with a Horton subsystem.  Again, I'm arguing that you
get the best of both worlds.  Namely, I'm arguing that Horton
does IBAC/RBAC within an ABAC context (system, implementation)
in a way that fully preserves the values of ABAC (POLA, delegation
for modular decomposition).

(still honing my arguments for the paper.  Thanks for any feedback).

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list