[cap-talk] Loss of control

Jed Donnelley jed at nersc.gov
Fri Feb 1 15:31:00 EST 2008 

On 2/1/2008 6:52 AM, Mark Miller wrote:
> On Feb 1, 2008 2:25 AM, Jed Donnelley <capability at webstart.com> wrote:
>> At 04:20 PM 1/31/2008, David Hopwood wrote:
>>> "A pure capability system includes the ability for elephants to pass the
>>> capability to other elephants...
>> Actually the above statement ("includes the ability"),
>> which is simply the assertion of support for the Granovetter
>> diagram, seems to me a pretty straight forward statement
>> that applies to all capability systems.
> 
> No it does not. If it did, capabilities could not support confinement.
> A pure object capability system allows Alice the elephant to pass a
> capability she has to any other elephants that Alice has access to. If
> Alice has no access to Bob the elephant, Alice cannot pass a
> capability to Bob. That is one of the points made by the Granovetter
> diagram.

The addition that is needed for further clarity is:

"A pure capability system includes the ability for elephants to pass the
capability to other elephants <with whom they can communicate>..."

and again one could add "via an enabling capability".

However, both these clarifications are understood.  None of
the critics who feel that capabilities result in loss
of control are concerned about capabilities being communicated
where data communication is blocked.  Even with the
understanding that capabilities can only be communicated
where data can be communicated and then only when enabled
by an existing capability - the concerns about loss of
control are the same.

The people who are concerned about this "loss of control"
do not want delegations (certainly persistent ones)
to happen without being constrained by their
access control policies.  (Of course I understand the
issues about communicating conspirators.  I'm sure
some may find it amusing seeing me flip to the other
side of this discussion.)  They want to maintain
control even when it seems they really have no
control (e.g. to proxies) except in the sense of
what Alan refers to as Voluntary Oblivious Compliance.

I believe we can get the best of both worlds with
something like Horton.  Through Horton tunnels we
can provide access control policy support and a
management mechanism that:

1.  Works through Voluntary Oblivious Compliance
when there are other communication channels available
that aren't forced through the Policy Decision Point,
and

2.  Provides Mandatory Access Control when
communication is limited (confined) to just
policy supporting tunnels.

and provides control for policies along with
the needed logging, auditing, and user
interfaces for management - both for "ordinary"
users and for administrative users.

How this will work in practice, at this point
of course I don't know.  However, I'm quite
attracted to the design as I imagine others
can tell.  Naturally I'm interested in testing
this architecture against any and all criticism.

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list