[cap-talk] What Horton can do: accountability in cap systems.
James A. Donald
jamesd at echeque.com
Sun Jun 3 17:43:02 EDT 2007
Jed Donnelley:
> Of course in capability systems we can block user
> authentication and thus new connections to "shell"
> processes that are trusted with a user's resources.
> However, once an account is compromised or otherwise
> abused, it is difficult in all capability systems that
> I'm aware of to block access through capabilities that
> were communicated, delegated, or are being proxied.
I don't see why. The problems you are discussing arise
primarily on large networks with many users. Let us
consider the case that an identity is a public key and
url, and capabilities are shared secret unguessable
urls. Presumably when a capability is issued, we know
what identity we issued it to, and record that in the
database that enables the capability. If the recipient
of that capability let adversaries get hold of one
capability, then we cancel that capability, but if the
recipient let adversaries get hold of several
capabilities, then probably all the capabilities issued
to that identity are subverted, so we cancel all
capabilities issued to that identity.
> To which I again and enthusiastically say, bring on
> those ideas for simplifications!
But you keep ignoring those ideas.
More information about the cap-talk
mailing list