[cap-talk] Reference implementation of Federated AccessManagement ready for review

Karp, Alan H alan.karp at hp.com
Thu Jun 21 12:11:57 EDT 2007

Pierre Thierry wrote:
> I didn't read the code, only the report. How is revocation managed? As
> the scenario described doesn't seem to involve caretakers, is 
> revocation
> of a capability made by emitting a cryptographically signed 
> revocation?
> Does that mean that revocation could fail if the revocation is not
> received?
Revocation is done by sending a Revoke message to the service.  It will
fail if the request cannot reach the service.  If that's a problem, you
can set up a service of your own as a forwarder.  Even without that,
revocation with ABAC is far simpler that what's currently "best
practice" in the web services world.
> BTW, as it was said earlier, that's probably exactly the kind of work
> that could really help advocating POLA and ABAC: retrofitting them in
> existing technologies.

That's our hope.
> Is it already used in productions systems?
Not to the best of my knowledge.  Once we've collected comments and
released the tech report, I will forward a link to people I know are
implementing SOA.

Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029

More information about the cap-talk mailing list