[cap-talk] Capabilities giving up control?

Toby Murray toby.murray at comlab.ox.ac.uk
Fri Jan 18 02:37:01 EST 2008 

On Fri, 2008-01-18 at 05:01 +0000, David Hopwood wrote:
> Toby Murray wrote:
> > Jed, and others who believe that non-delegatable authorities can have no
> > use in security:
> > 
> > Why does your drivers' license have your photo on it?
> 
> Because a driver's license represents (primarily) the authority to prove
> that a named and photographed person can legally drive. If it were
> delegated, it would still be the authority to prove that *that* person
> can legally drive.
> 
> Suppose that a police officer stops my car while I am driving it. He's
> stood at the side of the road to avoid the traffic, so I pass my
> license to the front-seat passenger, who then passes it to the police
> officer.
> 
> A non-delegatable capability would be akin to a license that I can't
> let out of my hand for a second, even for the most trivial of delegations
> like this one (which is exactly analogous to passing a capability via
> some helper object that is trusted, but in a separate protection domain).
> 

Right. But a non-delegatable *authority* (particularly one implemented
as in the paper) could be delegatable for exactly this sort of purpose.
See the final section of the paper that discusses the implementation of
credentials using the basic NDA principle. These credentials are, in my
opinion, the precise incarnation of a drivers' license (or similar
real-world credential) within the object-cap model. Like a drivers'
license, they can be used to grant authority to only the individual
identified by them (or in the case of thte object-cap model, only the
object they reference) and noone else.

The ubiquity of credentials-bound-to-an-identity in the real world
surely adds weight to the argument of the value of NDA-like credentials
in the object-cap model.

In both cases, the credential is a non-delegatable authority.

> > Why does your passport have your photo on it?
> 
> Same argument as the driving license.
> 

Sorry, I didn't mean to imply otherwise. I just wanted to cite two
examples that most people would agree we cannot dispense with in the
modern world.

More information about the cap-talk mailing list