[cap-talk] Ben Laurie's Motivating Example

[Ben Laurie]

On 8/16/07, Jed Donnelley <JEDonnelley at lbl.gov> wrote:
> ----- Original Message -----
> From: Ben Laurie <benl at google.com>
> Date: Wednesday, August 15, 2007 9:37 am
> Subject: Re: [cap-talk] Ben Laurie's Motivating Example
> To: jed at nersc.gov, "General discussions concerning capability systems." <cap-talk at mail.eros-os.org>
>
> > On 8/15/07, Jed Donnelley <JEDonnelley at lbl.gov> wrote:
> > > ----- Original Message -----
> > > From: Toby Murray <toby.murray at comlab.ox.ac.uk>
> > > Date: Wednesday, August 15, 2007 3:55 am
> > > Subject: [cap-talk] Ben Laurie's Motivating Example
> > > To: cap-talk at mail.eros-os.org > >
> > > > Ben Laurie has recently posted an interesting "motivating
> > > > example" (although motivating what we're yet to find out) on
> > his blog.
> > > > It's an interesting "challenge problem" for security and access
> > > > controlin particular.
> > > > http://feeds.feedburner.com/~r/links/ZvUZ/~3/144078467/
> > > ...
> > >
> > > > It's one of those examples that appears to scream "capabilities"
> > > > straight away; who's current reliance on IBAC is the source of the
> > > > challenge problem, not its solution.
> > > >
> > > > However, trying to come up with a way in which a solution could be
> > > > implemented is nonetheless not immediately obvious. For anyone
> > who's> > interested, it'd be great to get some discussion going on
> > this one.
> > > >
> > > > Cheers
> > > >
> > > > Toby
> > >
> > > I agree that this example 'screams' capabilities - and it points
> > to the
> > > exact problem that the "CapDoc" mechanism is intended to solve.
> > > Since 'CapDoc' is really just wideword and/or Tyler's Web
> > > Calculus/YURL (name?) mechanism with some additional
> > > facilities like 'deep attenuation' and Horton added, please
> > > imagine that structure.
> > >
> > > To solve Ben Laurie's problem imagine that both Facebook and
> > > Flickr make their services available with CapDoc capabilities.
> > > However, in this case a statement like:
> > >
> > > 'I have told Facebook that his Facebook account is allowed to
> > > see my "friends only" pictures.'
> > >
> > > seems an unwise and unnecessarily broad sharing of
> > > authority.  Does the above suggest that Facebook and
> > > Flickr know about each others accounts and are somehow
> > > able to enforce each others exported rights?
> >
> > You are entitled to wiggle the details around as you please, so long
> > as the abstract problem is solved :-)
> >
> > >
> > > With the CapDoc approach of course either Facebook or
> > > Flickr can include the other services as capabilities in their
> > > exported objects.  No "accounts" are needed except
> > > perhaps for responsibility tracking and identity based
> > > access control - as Horton supports.
> > >
> > > To me this example seems simple with CapDoc.  If
> > > others see a problem then I'll certainly work to explain
> > > how it works in 'CapDoc' as this seems exactly the sort
> > > of thing CapDoc is intended to support.
> >
> > Please explain how this solution preserves my privacy.
>
> Certainly - as I understand it of course.
>
> My assumptions are that "Facebook" provides documents
> along the lines of Wideword that can include text and ocaps
> to other objects such as the Flickr picturespages'. or other
> Facebook '.  I assume that both Facebook and Flickr support
> Horton and that Facebook supports the 'deep attenuation'
> property for pulling capabilities (e.g. wideword/YURL links)
> out of it's documents.
>
> <note that for the duration of this message I use the
> terms "link", "capabuility", and "ocap" interchangeably>
>
> Finally I assume that I have a rather simple Horton
> delegating 'email' system that allows me to send messages
> to others and have the capabilities that I send as links
> in those messages undergo a Horton delegation transformation
> during the send.
>
> Now I create my facebook main page for myself.  Here is
> a read-only ocap to this top level page that for the purposes
> of this exposition you can assume that I have sent to
> you, my good friends, through a Horton transforming
> email:
>
> https://wideword.net/doc/Yat4z%2BeeCg%2FvAeYx1PR2BQ%3D%3D
>
> To follow through with this example you of course have
> to use your imagination a bit because wideword doesn't
> support Horton or deep attenuation.  Imagine that
> I sent a message to each of you (my friends) that contained
> a capability like the above that was transformed via
> Horton into such a capability that granted read-only
> access to my top level personal "Facebook" page.
> Further suppose that the capability that I sent to
> you was read-only and deeply attenuated so that
> all capabilities derived from it were read-only.
>
> Take the above link to look at the content.  If I've
> worked wideword correctly, the above link should
> actually be read-only and the sub link (capability)
> should also be read-only - though this is true
> even in my page because wideword doesn't
> in fact support deep attenuation.
>
> Also, the capability (link) that you receive is
> the same read-only one that I sent, not a
> Horton transformed one indicating that it
> has been delegated to you individually.
> This another place where imagination is
> needed.
>
> If you look at the above page you will see inside
> that document a capability to my public page.
> In my copy of my personal page that link is
> of course read-write, but by attenuation of
> the read-only copy of the capability that I give
> to you, you only get read-only access to it
> (again by imagination).
>
> Also in the top level "friends-only" page you
> will find a link to some personal content.  Imagine
> that to be another Facebook page containing
> links to Flickr pictures - again attenuated
> to read-only.
>
> At this point if you are imagining as I am (namely
> that all my initial assumptions are correct), each
> of you has access to my friends-only personal
> page and you can look into it and pull out content
> such as the "pictures" - that you can assume to be
> another Facebook page with capabilities to
> Flickr pictures.  You can pull out the pictures,
> but others cannot.  Any pictures that are so
> pulled out I can see logs for the fetching
> (as a delegation) and as they are accessed.
>
> Note that I can interrogate each of my Facebook
> pages or my Flickr pictures to determine who
> those documents/pictures have been delegated
> to.  I of course also get a log of accesses to
> these objects by delegate, including the
> delegation trail.
>
> If at any point I feel that the access to this
> personal content is being abused by any
> of you, I can revoke your access individually.
>
> To me this provides quite effective privacy.
> Certainly far more than I have for anything
> else that  can be so combined on the Web
> today.
>
> If you have concerns or issues with such a
> mechanism, please share them with the list
> and we can work through them.
>
> <note - it appears that wideword has
> gone in a somewhat different direction
> that I didn't take time to understand.  I
> beg your indulgence in ignoring these
> new features and imagining it instead
> extended as I suggest above>
>
> <also note - this is my last night in New
> York City, and I don't know if I will have
> Internet access between tomorrow and
> next Saturday or Sunday.  Sorry about
> that.  Of course if I do (hopefully) I will
> respond promptly to any postings of
> concerns>
>
> Thanks for taking time to work through
> this example of "CapDoc"!

OK, so I've taken forever to respond to this. Sorry.

So, nice to see Horton worked into this, though explaining it to an
audience not immersed in caps might take some effort.

Anyway, you have dealt with the mechanics of getting the right
capabilities into everyone's hands, but without, it seems to me,
addressing the core problems, which are:

a) How does Flickr/Facebook know where to send these capablities?

b) Once they do know, didn't I just reveal all the linkages between my accounts?

>
> --JED  http://www.nersc.gov/~jed/
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>