[cap-talk] Delegation/Proxy equivalence and limited lifespan objects?
daw at cs.berkeley.edu
Mon Nov 12 12:51:26 EST 2007
Rob Meijer writes:
>When trying to defend that proxying and delegation of permissions would
>be equivalent from a authority point of view,
They're not equivalent. But proxying does show that you can't prevent
delegation: even if you try to outlaw it in your access control system,
if Alice and Bob can communicate, Alice can take actions that have
essentially the same effect as delegating her permission to Bob, for
all relevant security purposes. Put another way, if you have a security
requirement that you think is violated in the presence of delegation,
it's probably violated even in the absence of delegation, too.
>the folowing was brought as an argument against delegation:
>If Alice delegates a permission to Bob and Bob re-delegates it to Carol,
>the equivalence seems to only apply if Bob has an unlimited lifetime.
Sure, of course. But this doesn't contradict anything I wrote above.
Outlawing delegation still seems to be of dubious value. If you believe
in the slogan "Don't outlaw what you can't prevent", then outlawing
delegation makes no sense. From a security point of view, the defenders
can't *count on* Bob to always have a limited lifetime; they have to
assume the worst.
More information about the cap-talk