[cap-talk] Reference implementation of Federated AccessManagement ready for review

[Karp, Alan H]

Pierre Thierry wrote:
> 
> I didn't read the code, only the report. How is revocation managed? As
> the scenario described doesn't seem to involve caretakers, is 
> revocation
> of a capability made by emitting a cryptographically signed 
> revocation?
> Does that mean that revocation could fail if the revocation is not
> received?
> 
Revocation is done by sending a Revoke message to the service.  It will
fail if the request cannot reach the service.  If that's a problem, you
can set up a service of your own as a forwarder.  Even without that,
revocation with ABAC is far simpler that what's currently "best
practice" in the web services world.
> 
> BTW, as it was said earlier, that's probably exactly the kind of work
> that could really help advocating POLA and ABAC: retrofitting them in
> existing technologies.

That's our hope.
> 
> Is it already used in productions systems?
> 
Not to the best of my knowledge.  Once we've collected comments and
released the tech report, I will forward a link to people I know are
implementing SOA.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp