[cap-talk] Identity tokens (e.g. Kerberos) for responsibility labeling of capability invocations
Karp, Alan H
alan.karp at hp.com
Mon Jun 11 17:06:53 EDT 2007
Jed wrote:
>
> If I'm still missing something, perhaps Alan can explain to
> me how "at the end of the day it (the identity token approach)
> becomes at least as complicated as Horton." by explaining
> how (or whether) an active object can act (safely) with the
> responsibility of more than one identity with the kerberos approach.
>
Here's where the complexity starts. If Carol has a means to distinguish
the capability-as-data that she gave to David from the one she gave to
Alice, then Carol can know that David is responsible for Bob's access.
That's unlike Horton where David can choose to keep Bob out of the
responsibility chain. Alice could give to Bob a different right to
Carol. Bob could use the right he got from Alice and the one he got
from David in a single request. There is no difference from what
happens with Horton, except that Carol knows Bob issued the request. I
don't see where any deputies get confused.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list