[cap-talk] Horton at HotSec '07: How broadly object/capability?

Mon Jul 9 04:57:17 EDT 2007

At 05:16 PM 7/8/2007, Karp, Alan H wrote:
>I've read through the referee's comments, Jed's, and MarkM's response to
>Jed.  There are two different items that we need to deal with, the paper
>and the talk.  The paper that was accepted is about Horton, and it would
>be irresponsible to rewrite it now to focus on capability systems in
>general at the expense of the topic that was reviewed.  The talk is a
>different matter entirely.  I have no problem spending much more time on
>motivation and referring to the paper in the proceedings for details.

I believe this situation is a bit more complex/flexible than you
suggest above Alan.

The paper presents Horton as a reference implementation for
responsibility delegation with object/capabilities to
dispute the arguments against the use of object/capabilities
on the basis of their inability to track who did what.
The paper does present, albeit very briefly, the argument
that Horton demonstrates that one of the last remaining
arguments against the use of the object/capability paradigm
for access control can no longer be supported.

Much of the more complete reference implementation of
Horton is already elsewhere on the Web.  If we argue that:

>Since some of the referees were confused about some points, and we're
>not getting more space, I think we should remove the implementation
>details.  We can refer to the tech report or erights.org for people who
>want to see the code.  Depending on how much space we decide to devote
>to motivation, we might even leave out the details of the protocol and
>provide only a sketch.

then I believe that we can legitimately do more than better
motivate the problem that Horton is intended to solve,
but also better motivate how the fact that Horton is
possible strengthens the argument for the use of the
object/capability paradigm in general for access control.
Doing so would provide a solid reference (I believe we can
assume that those participating in the discussion will have
read the position paper) for this broader discussion at the
workshop.

>How long is the talk?

They said 10-15 minutes, though of course the talk
is intended to set the stage for the workshop discussion
that follows.

>In a 20 minute talk, MarkM (I'm not going.) can
>split the time between motivation and protocol.

If you're not going then I'll definitely push to
make it.  I'd like to see as strong a contingent
on the capability side as possible.

Regarding motivation vs. protocol - I don't believe we
need any substantive additional focus either on the
motivation for Horton or the protocol.  The reference
implementation is there for people to view on the Web.
In terms of 'motivation', to me the only substantive
issue is whether or not the ability to audit who did
what with object/capabilities does indeed remove what
is substantively a 'last' barrier to widespread
adoption of the object/capability paradigm for
access control.  To me that nicely sets the stage
for a broad discussion of the value/viability of
the object/capability paradigm for general
access control (e.g. at the language, OS, and
network levels).

>I wouldn't get too hung up on the "Hot" in HotSec.  The paper got
>accepted, so somebody in a position of responsibility thinks it's hot
>enough.

I don't know about the issue of "hot".  I believe the
important choice we have is what to focus the workshop
discussion on and how to best update/edit the paper
to most effectively support that discussion.

What I'm suggesting (arguing) is that the most effective
thing for us to do is to, as you say, "remove the
implementation details" (though I see some difficulties
in doing so and still leaving enough for understanding
the basic idea), and then in addition to motivating
the basic Horton protocol we should set it in the
context of the argument for using object/capabilities
for access control in general.

I believe that unless there is substantive questioning
of whether or not Horton can work as implemented (which
I believe could only come from capability practitioners),
the most relevant focus of discussion will be on the
general value of the object/capability paradigm for
access control - partly in light of any potential
concern about tracking who did what that should now
be answered.

That's where I believe the more general arguments
that I noted in my previous message are applicable
and, I believe, should be added to the paper in
place of removed implementation details (as possible).

--Jed  http://www.webstart.com/jed-signature.html 