[cap-talk] Architectural Choices: How to migrate from IBAC to OBAC = Object-Based Access Control?
Karp, Alan H
alan.karp at hp.com
Wed Nov 14 18:15:22 EST 2007
Jed wrote:
>
> Referring to Capability-Based Access Control
> as "Authorization-Based Access Control" makes
> no sense to me.
A capability is an authorization, but an authorization is not
necessarily a capability. For example, while we use SAML certificates
as capabilities in our Zebra Copy paper, not every implementation will.
The application API might take a filename as an argument, so the
programmers will pass the SAML certificate authorizing access in another
part of the SOAP message. That's weaker but better than relying on
authentication.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list