[cap-talk] Horton context presentation

[David Hopwood]

Jed Donnelley wrote:
> [...] I still feel that accurately describing
> what the motivation was for Horton as it arose on cap-talk
> after the review of P1-935 is the more appropriate/effective
> approach.  I believe there is a very large community interested
> in computer security for which the criticisms of P1-935
> (Rainbow, Orange Book, etc., etc.) still ring very true.

Jed, I think that you place a much higher significance on this
paper than the majority of other people here.

P1-935 is a very badly written and badly argued paper. Even its
initial definition of what characterises a capability system
is misleading:

#  In capability systems, access to an object is restricted based
# on the subject having possession of a partiular string of bits,
# called a capability.

given that the *none* of the capability systems it purported to
have taken into account (PSOS, Burroughs B5500, CAL-TSS, Hydra,
Plessey System 250, IBM System 38, Intel iAPX 432 and CAP) are
password cap systems.

In any case, the authors have a major blind spot when it comes
to sanity checking the claims they consider to be disadvantages
of cap systems. For instance:

# Finding all capabilities that one subject can access requires
# searching the transitive closure of all objects that can be read
# by that user.

Yes. Now, how do we find all the objects that one subject can access
(possibly via other subjects) in an ACL system?

The paper makes so many mistakes that I can place little weight on
anything it says. For me, this particular paper is not a motivating
factor in developing responsibility tracking protocols for capability
systems. Those are needed anyway.

-- 
David Hopwood <david.hopwood at industrial-designers.co.uk>