[cap-talk] Architectural Choices for Security: terminology

Jed Donnelley capability at webstart.com
Mon Nov 19 02:59:07 EST 2007 

At 04:11 PM 11/18/2007, Karp, Alan H wrote:
>Jed wrote:
>...
> > Then again I assume the attributes are associated with the requesting
> > process/active object?  When a user initializes a process doesn't it
> > automatically get the user's role or attributes?
> >
>Yes and yes.  Although there is no reason it must be so,

Hmmm.  I think there is a serious reason.  If when a process is
initiated it doesn't get the user's role or attributes, then
what role or attributes does it get?  Determining what role
or attributes to give to processes if not those of the user
seems to me would be a non trivial technical problem, much
like initializing a process in a capability system but even
more complex.

>every PBAC
>system I've seen has every process run with the attributes of the user
>who started it.

This fits with the "the program is the user" Unix (and inherited
by all other market leading systems) philosophy.  This is the
philosophy that is the most broken part of the way computer
security works these days in my opinion.  To me adding roles
or attributes doesn't help much with the basic problem.  I
doubt it will too difficult to get some agreement on this
list...

>  > For me the functional property that defines a "capability"
> > system is that ability to delegate where you can
> > communicate, not any implementation property.
> >
>To me the fundamental property of a capability is the combination of
>designation with authorization, but I like delegation a lot.

Hmmm.  When I said the ability to 'delegate', I meant the
ability to delegate authorization (well, permission,
but I think that is a fine point?).  What did you think
I meant by delegation?  I.e. what did you think I was
delegating if not a permission (authorization = the
closure of permissions available through the initial
permission)?

>In fact,
>the ability to be delegated is a key property of an authorization, even
>when it doesn't combine designation with authorization.

I think we are mincing fine nuances.  If there's something
more major here, please jump on me.

> > What is it about "Authorization Based Access Control"
> > that you consider definitive Alan?  Would your consider
> > the ACL sort of mechanism described in the Managing Domains
> > paper ABAC or IBAC or what?
>
>The definitive characteristic of ABAC is that the authorization decision
>is made before the request.

I don't see how the above characterization helps me to determine
whether an access control mechanism is ABAC or not.  It seems
to me that you can argue that all authorization decisions
are made before the request.  E.g. in Unix a chmod is an
access 'decision', isn't it?  Perhaps I need to better understand
what you mean by an "access decision".

>All the authentication methods make the
>authorization decision at request time.

You lost me with the above.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list