[cap-talk] What Horton can do: accountability in cap systems.

[Jed Donnelley]

At 10:09 PM 6/2/2007, Karp, Alan H wrote:
>Jed wrote:
> >
> > I expect that we have at least one element of agreement
> > regarding a lack of understanding in that paper and in
> > the dominant view - namely with regard to what we've more
> > recently referred to as the "cooperating conspirators"
> > 'problem'.  The authors of P-1935 and I believe actually
> > most in the IT community don't appreciate the impossibility
> > of blocking the sharing of authority among communicating
> > entities ("conspirators").  When they reflect on what
> > seems to them a lack of control in capability systems
> > (the open sharing of capabilities across communication
> > links) I believe their expressed concerns don't show
> > adequate appreciation for the fact that blocking such
> > sharing of authority (e.g. proxying) is impossible
> > in any system.
> >
>I believe people have another concern, enforcing organizational policy.
>Say that Alice wants to delegate to Bob her access to Carol, but that
>delegation would violate some policy.  Alice wishes to obey policy, but
>she may not be aware of it, so she won't simply proxy Bob's requests.
>In an ACL system, an administrator must update the permissions and won't
>implement delegations that violate policy.  With capabilities, there is
>nobody to control delegations.
>
>It's still a false sense of control.  Only a very small percentage of
>all delegations might violate policy.  By making all delegations hard,
>people bypass the adminstrator and proxy requests or share credentials
>just to get their jobs done.  The result is that policy isn't enforced.

I agree.  Though this general example wasn't present in P-1935,
I believe it was indirectly referred to through mechanisms like
MLS that have their own sorts of policies.

When you say "With capabilities, there is nobody to control delegations.",
what about when using Horton on top of an object/capability system?
In that case if people play the Horton game, then I believe they
can leave enforcement of such policies to an administrative system.

I believe there is value to being able to use an administrative
support system for some such purposes.  For example:

1.  If anybody leaves the board group, remove their access to board material.

2.  If somebody no longer has "signature authority", disable their
permission to approve purchases (above certain amounts, etc., etc.).

...

I know there are many such policies that I'd just as soon
leave to a policy engine rather than deal with individually
myself.  If I need to communicate a specific capability, I
can do so independent of any Horton mechanism.  I just do
so without going through the Horton protocol.  In that case
I remain responsible for any actions enabled by the capability.
That seems reasonable to me.

--Jed  http://www.webstart.com/jed-signature.html