[cap-talk] CapDesk demo, capability demos in general

Karp, Alan H alan.karp at hp.com
Mon Oct 8 00:23:05 EDT 2007 

James A. Donald wrote:

>           If the trusted software is trusted not to pass
> the key around, no problem - the key reliably identifies
> the software.  Yet a key is *not* an ID because it *can*
> be passed around.

If the software is not trusted not to pass the key around, you can't
trust it not to pass around its ID.  That's a big problem.  Given the
choice of failing because it can't delegate one right or delegating its
ID with all its rights, the software will pass its ID.  If you can
somehow prevent it from doing that, it can still proxy requests.

> I
> don't think they scale over networks where many people
> whose interests may conflict have control over different
> parts of the network

I've done a fair bit of work in this area.  In fact, it's identities
that don't scale over networks where interests are in conflict.  You can
see that in the failures of the various attempts to use Federated
Identity Management in Services Oriented Architecture implementations.
I recommend you look at the Liberty Alliance session from last year's
RSA Conference to see the kludges people are introducing in a vain
attempt to make identification work for access control.  We describe
these issues and capability-like solutions in 

http://www.hpl.hp.com/techreports/2006/HPL-2006-3.html and
http://www.hpl.hp.com/techreports/2007/HPL-2007-105.html.

On the other hand, e-speak was a capability-like system that was used by
several companies, two of which certainly fit the situation you
describe.  One of the businesses used 40 PCs to service 10 companies,
some 4,000 users, and over 10,000,000 resources.  (I was not part of
E-speak Operation at the time, so these figures are second-hand
information.)  Those numbers, while not large, demonstrate an
interesting degree of scalability.  HP exited the middleware business
some two years later and shut down all its middleware businesses,
including e-speak.  

The essential principle that was at the core of the e-speak security
model was "Don't rely on somebody else to protect your stuff."  In other
words, you can rely on your hardware and OS, but not on anybody else's.
That recognizes that once you give out a right, you have no control over
how it is used until you revoke it.  No matter how much you might wish
you could do more, you can't in an open networked environment. 

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp

More information about the cap-talk mailing list