[cap-talk] What Horton can do: accountability in cap systems.

[Karp, Alan H]

Jed wrote:
> 
> I expect that we have at least one element of agreement
> regarding a lack of understanding in that paper and in
> the dominant view - namely with regard to what we've more
> recently referred to as the "cooperating conspirators"
> 'problem'.  The authors of P-1935 and I believe actually
> most in the IT community don't appreciate the impossibility
> of blocking the sharing of authority among communicating
> entities ("conspirators").  When they reflect on what
> seems to them a lack of control in capability systems
> (the open sharing of capabilities across communication
> links) I believe their expressed concerns don't show
> adequate appreciation for the fact that blocking such
> sharing of authority (e.g. proxying) is impossible
> in any system.
> 
I believe people have another concern, enforcing organizational policy.
Say that Alice wants to delegate to Bob her access to Carol, but that
delegation would violate some policy.  Alice wishes to obey policy, but
she may not be aware of it, so she won't simply proxy Bob's requests.
In an ACL system, an administrator must update the permissions and won't
implement delegations that violate policy.  With capabilities, there is
nobody to control delegations. 

It's still a false sense of control.  Only a very small percentage of
all delegations might violate policy.  By making all delegations hard,
people bypass the adminstrator and proxy requests or share credentials
just to get their jobs done.  The result is that policy isn't enforced.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp