[cap-talk] password capabilities & object capability model?
Rob Meijer
capibara at xs4all.nl
Mon Aug 25 04:14:00 CDT 2008
On Thu, August 21, 2008 19:07, David-Sarah Hopwood wrote:
> Mark Miller wrote:
>> On Thu, Aug 21, 2008 at 4:35 AM, Toby Murray
>> <toby.murray at comlab.ox.ac.uk>wrote:
>>
>>> Cryptocap suggests cryptography, no? which is not an essential feature.
>>
>> I consider an unguessable swiss number to be a simple form of crypto --
>> perhaps the simplest form.
>
> Only for a very broad definition of cryptography. It's certainly liable to
> be misinterpreted as implying "heavier" crypto than that.
>
Agreed,
As I only use hashing with secret for creation of the swiss numbers, I
would feel cryptocap would be a bit of a stretch.
I now am using the folowing piece of text in my article using 'sparse' and
'unprotected' versus 'object' and 'protected':
-------------------------------------------------------------------------
Where objects in OO languages can pass by reference, most IPC on Linux
does not allow to do pass by reference between processes. One insightful
exception to this that early UNIX engineers made was creating the
possibility of passing file handles over UNIX sockets. You could say that
file handles used like this are fully pass by reference. In capability
systems such a reference is called a protected or an object capability.
Unfortunately although there are file handles for directories, file handle
type references are currently only void of unneeded authority when used
for accessing files, not directories. This means that currently directory
file handles can not be used as protected capabilities. To overcome this
problem there is a concept from capability system history that is quite
useful. This concept is to use a sparse key string as representation of
the reference. That is, we create a relatively long sparse and unguessable
string that just like a file handle both designates a resource and
authorizes access to the resource. This string is called a sparse
capability or unprotected capability, and although this type of capability
is in some ways inferior to the protected type of what the UNIX file
handle is an example, when combined with protection by AppArmor it still
has many properties that make their usage roughly equivalent to the usage
of references in object oriented languages.
-------------------------------------------------------------------------
More information about the cap-talk
mailing list