[cap-talk] Architectural Choices: How to migrate from IBAC to OBAC = Object-Based Access Control?
jed at nersc.gov
Wed Nov 14 20:48:36 EST 2007
On 11/14/2007 3:15 PM, Karp, Alan H wrote:
> Jed wrote:
>> Referring to Capability-Based Access Control
>> as "Authorization-Based Access Control" makes
>> no sense to me.
> A capability is an authorization, but an authorization is not
> necessarily a capability.
My concern is at a higher level. When communicating with people
who aren't "into" the field of authorizing with capabilities.
Certainly as you say, "A capability is an authorization, but an
authorization is not necessarily a capability." In particular
Identity Based Access Control mechanisms like ACLs
do authorizations, but not with capabilities. That was
my basic point. I believe that to most people the phrase:
"Authorization Based Access Control"
doesn't communicate anything. All access control is
Diving down into more detail from your message, regarding:
> For example, while we use SAML certificates
> as capabilities in our Zebra Copy paper, not every implementation will.
Of course. However, regarding:
> The application API might take a filename as an argument, so the
> programmers will pass the SAML certificate authorizing access in another
> part of the SOAP message. That's weaker but better than relying on
I'm afraid you lost me in the details of the first sentence above.
Regarding the second, when you say "better than relying on
'authentication'", I assume you mean "identity" authentication?
Perhaps I'm pushing the terminology a bit, but isn't there
an "authentication" step even in using capabilities for
access control? Namely, something (generally either a
service provider or an underlying TCB) must verify that
the capability is authentic. Once that happens then the
permission granted in the capability can be assumed
to be correct - authentication and then authorization -
even with capabilities.
I know that's what I hear from many computer security
people for whom the authentication/authorization
steps are a mantra. I personally don't want to fight
that thinking. I'd rather just deflect it a bit
by moving it away from Identity authentication followed
by Identity Based Access Control (authorization decisions
based on the authenticated identity - whether using
policies based on Roles or on Context or ...) to what
amounts to Object (reference) authentication followed
by Object Based Access Control - with all the
corresponding values that are so near and dear to
us on cap-talk.
Sorry to use so many words. I'm trying to use more
to try to unearth any inconsistencies there might
be in the way I'm using the terminology.
I'm trying to bend our terminology so that it will
make sense to general computer security people who
aren't steeped in capability phraseology.
More information about the cap-talk