[cap-talk] A dabblers take on security
Jonathan S. Shapiro
shap at eros-os.com
Thu Feb 7 10:37:54 EST 2008
On Thu, 2008-02-07 at 13:09 +0000, William Pearson wrote:
> On 06/02/2008, Jed Donnelley <jed at nersc.gov> wrote:
> > What does "non-distributal" mean in the above? Do you
> > mean non-delegatable?
>
> Kind of but more in the sense that every delegation would have to be
> proxied rather than in the sense that you expect that only giving it
> to one person means that no one else can use the resource.
William:
If by this you mean that you are introducing some notion of a revocation
domain, and that capabilities which cross a revocation domain boundary
must undergo some form of exchange protocol, I see no mechanical problem
here, but there are interesting issues concerning authority escalation
lurking in such a design (which Jed and I are discussing on another
thread). If this is what you have in mind, I share your view that it is
well worth exploring.
If you mean something morally equivalent to a "do not copy" bit, then I
have to say that the idea has been examined exhaustively by both the
literature and real implementations, the results have been a disaster
from complexity and information perspectives, and the proposed control
conveys exactly zero security benefit (because if I can be trusted not
to proxy, I can be trusted not to share). If this is what you have in
mind, my advice is: forget it.
shap
More information about the cap-talk
mailing list