[cap-talk] Architectural Choices for Security: terminology

Jed Donnelley capability at webstart.com
Sun Nov 18 05:49:34 EST 2007 

At 08:56 PM 11/17/2007, Karp, Alan H wrote:
>Bill Frantz wrote:
> >
> > Well, RBAC is identity centeric because first you identify
> > the user and
> > then determine which role(s) s/he can take on.  BTSOOM what PBAC is?
> >
>Then capabilities are identity centric because first you identify the
>users, then you decide which capabilities they get.  That's clearly
>wrong.
>
>The key distinction is when the identity is used.  In IBAC, it's used at
>request time.  In RBAC, it's used at role assignment time, but not at
>request time.

In that case I assume the role of the requester is known to the server?

>In PBAC, the user's identity is used to know what
>attributes to assign to the user.  These attributes are used by a policy
>engine to make the access decision.

Then again I assume the attributes are associated with the requesting
process/active object?  When a user initializes a process doesn't it
automatically get the user's role or attributes?

>All three of these are based on
>authentication - of identity, role, or attributes - because the
>authenticated information is used to look up ambient authorities.

When a person starts to interact with a system, of course there
must be something an authentication for that person.  As you
point out, in a capability system some power process is given
the user's capabilities by the login mechanism and access control
is done by capability after that.

It seems to me that another distinction that is rolling around
in here is the ability or non ability to delegate.  For me that
is the fundamental aspect of a "capability" system.  In my
Managing Domains paper:

http://www.webstart.com/jed/papers/Managing-Domains/#s10

I describe a mechanism that uses an access control list
for delegating permissions (process addresses are on the
ACLs and if one process is on the ACL it is allowed to
add other processes onto the ACL).  Even in that case I
consider it a "capability" system since the fundamental
property of being able to delegate permissions where you
can communicate remains.  I imagine the confinement
aspects of that ACL-based mechanism are lacking, though
I'm sure it could be augmented.

For me the functional property that defines a "capability"
system is that ability to delegate where you can
communicate, not any implementation property.

What is it about "Authorization Based Access Control"
that you consider definitive Alan?  Would your consider
the ACL sort of mechanism described in the Managing Domains
paper ABAC or IBAC or what?

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list