[cap-talk] Capabilities giving up control? (was: Re: A paper on web-keys)

[Jed Donnelley]

At 05:37 PM 1/17/2008, Toby Murray wrote:
>Jed, and others who believe that non-delegatable authorities can have no
>use in security:
>
>Why does your drivers' license have your photo on it?
>
>Why does your passport have your photo on it?
>
>These are authorities that are bound to your identity such that you
>cannot delegate them to anyone else in a useful manner. You can hand
>your passport to someone else but they cannot usefully use it. Likewise
>with your divers' license.

I agree that we use the term "authorize" for being granted the
privilege of driving or traveling.  This is why I've been troubled
with this term.  I think it is really something a bit different
than what we are discussing in computer systems and even in some
cases with human social systems.

I'm not sure quite what to call this other thing.  Perhaps
"access" in reference to the phrase "access control"?

Let's take the driving example.  Compare having a driver's
license with having a key to a car and access to same.
In the first case I am authorized to drive a car.
In the second case I have access to a particular car
that I can actually begin to drive.

One conveys legal, what, "responsibility"?  I agree that
we use the term "authority" and I don't object to that
for the human social contract/construct.

Still, in the computer analog - and I think there are plenty
of social analogs - there is a situation where one is
unable to take an action without having something that will
allow it.  A key is a good example, so is a password
or card/pin.  Being on an ACL qualifies.  If I'm on
the ACL I can take the action, if not then not.  Of
course in this case I think we assume that I'm also
authorized if I'm on the ACL and not if not, though that
is of course not necessarily so.

The card/pin case is one that in some ways combines both
and might help separate the notions.  If somebody steals
my card/pin, they have the one thing ("access"?) to
my account, but they don't have the other, they aren't
"authorized" to access it.

I really think the sense in which we have been using
"authority" on this list (sorry MarkM) is an entirely
different concept.  Namely the closure of what sort
of access can be obtained by using all available
permissions.  Sadly, I don't think this fits very
well with the human social notion of "authorize",
e.g. (from:
http://www.thefreedictionary.com/authorize ):

1. To grant authority or power to.
2. To give permission for; sanction:
     the city agency that authorizes
     construction projects.
3. To be sufficient grounds for; justify.

or authority:

1.  a. The power to enforce laws, exact obedience,
        command, determine, or judge.
     b. One that is invested with this power, especially
        a government or body of government officials:
        land titles issued by the civil authority.
2. Power assigned to another; authorization:
    Deputies were given authority to make arrests.
3. A public agency or corporation with administrative
    powers in a specified field: a city transit authority.
4. a. An accepted source of expert information or advice:
       a noted authority on birds; a reference book often
       cited as an authority.
     b. A quotation or citation from such a source:
        biblical authorities for a moral argument.
5. Justification; grounds: On what authority do you
    make such a claim?
6. A conclusive statement or decision that may be taken
    as a guide or precedent.
7. Power to influence or persuade resulting from knowledge
    or experience: political observers who acquire authority
    with age.
8. Confidence derived from experience or practice; firm
    self-assurance: played the sonata with authority.

compare and contrast with the definition of "access":

1. A means of approaching, entering, exiting, communicating
    with, or making use of: a store with easy access.
2. The act of approaching.
3. The ability or right to approach, enter, exit,
    communicate with, or make use of: has access to
    the restricted area; has access to classified material.
4. Public access.
5. An increase by addition.
6. An outburst or onset: an access of rage.
tr.v. ac·cessed, ac·cess·ing, ac·cess·es
To obtain access to, especially by computer: used a
browser to access a website; accessed her bank account
online.

To me the definition for "access", especially #1, is
the closest to the computer analog that I'm looking
for.  I don't think any of the definitions of
"authority" fit for me.  For others?

>There is good reason for this. Your passport and drivers' license are,
>in one sense, statements about you, not anyone else. Hence, they
>shouldn't be usable by other people. But these statements about you
>naturally grant you authority -- authority to drive a car legally or the
>authority to leave the country. On a more fundamental level, they grant
>the authority for the individual pictured to be identified as you. These
>are all non-delegatable authorities by virtue of the included photo and
>the infeasibility of impersonating your face.

I agree.  Let me follow up on the above a bit with the
driver's license example.  In some cases a driver's license
is used for what I'm trying to separate out as "access".
Consider the situation if I try to buy something that may
only legally be sold to adults.  In that case my driver's
license with my likeness on it (for authentication) gives
me access to something that I wouldn't otherwise have access
to.

In the above case I think the analogy to the proxy mechanism
is particularly clear.  Namely, if I can communicate physically
with somebody (e.g. under age) and I'm not trustworthy with
my responsibility, I can give access to somebody who isn't
authorized to have such access.  I can effectively proxy
such access - buy something for them.

I believe the identity tie in (picture) on the driver's
license makes more sense in the human social situation
as increasing the cost of "proxying" provides some
disincentive for doing so.  Even at that, however, I
believe the only effective disincentive is the legal
remedy - namely the threat of punishment for selling
or giving a prohibited item to a minor.

The case of the passport I grant is one where the
identity tie in grants access.  Namely, I'm able to
get my person into the country with the passport and
not without.  I can't think of a computer analog. ?

>These things exist in the real world presumably for good reason.
>
>Convince me that passports and drivers' licenses have no need to carry
>your photo -- or more precisely, ought to be usable by people whose
>faces don't match that pictured -- and I'll agree that non-delegatable
>authorities have no use.

I argue that they have no effective use for access control in
computer systems - besides of course seriously breaking the modular
programming model.  I believe that in human social systems
they are also overrated and somewhat misunderstood (e.g. that
distinction between authorization and access), however, I grant
you that such identity based mechanisms remain useful in
human social systems to limit misuse of authority and
for authentication (which is what the picture on the passport
is effectively doing I think).

>If otherwise, then I am forced to conclude that they are useful (at
>least in the real world) and hence, that peoples' fears about giving up
>control are justified (at least in the real world) -- e.g. peoples' (the
>Government's ?) fears about giving up control over who is legally
>allowed to drive, or to leave the country.

I accept your point, though I hope you also see the
distinction I'm trying to make between 'access' and
authorization.  For example, the government has no
real fear of losing it's authority to designate who
is allowed to drive.  Such authority could only be
usurped by something like another organization with
police powers.  The license and the passport are
really just showing that the government has
authorized certain actions.  It's the guard at
the gate or the policeman on the road who does
the access control - in accord with the government
documentation.

>Of course, this is coming from a strong advocate of the object-cap model
>who is (in this instance) trying to apply real-world insights about
>real-world security to computer security, so this is certainly not  a
>critique of the object-cap model nor capability security,

It isn't?  Why not?  Aren't you raising the same issue
the questioner was raising at David Wagner's talk?:

The questioner correctly stated about the
Object Capability model (somewhat
anthropomorphically): "If you have a
capability then you can give it to someone
else" (that you have a capability to...)

The questioner then continued in that vein to note:
"That doesn't seem like a good idea.  You might
want to give someone a capability but not give
them the right to pass it on to someone else."

>both of which I strongly believe in.

You've argued for the value of non-delegatability
of authority.  Suppose I gave you a system (e.g. DEMOS)
that provides a convenient way to delegate authority
(an object reference that can be used as a parameter
in a request) so that it can't be re delegated.  I.e.
a 'delegate once' capability.  Just turn on the bit in
the reference before sending it - as simple as that.

Now consider the circumstances under which you
would use such a facility.  Can you describe them
to me?  I've said that I would never use such
a facility in a computer system.  When would you
use such a facility?

 From my perspective the situation is always the
same.  "I'm" (again anthropomorphic) doing a
delegation (as a program) because I need to in
order to carry out my task.  I of course realize
(recursively as a programmer now) that the object
that I'm passing the reference to may well be in
the same situation that I'm in.  Naturally I want
it to be able to do it's job or I wouldn't be
taking the risk of delegating the reference to
begin with.

When would I turn on the bit?  I'm always concerned
that the object that I pass a reference to may not
be trustworthy.  Because of that both as a person
and as a program I only pass references that I need
to in order to complete my task.  Would I always
turn it on?  Never?  When?

Let me explore a possibility here.  In the case of
the program communicating a reference its difficult
for me to imagine it weighing the risks associated
with communicating the parameter.  However, as a
human using a computer system I can sometimes make
risk assessments (e.g. access to my bank account is
more sensitive than access to my resume).  Might it
be that as a human I could decide that I'm willing
to accept the risk of communicating a reference to
an object or person, but that I'm not willing to
accept the risk of them delegating such access?
If this case arises, however, what do I do about
communicating conspirators?  I don't believe that
as a human trying to limit my exposure I would be
the least bit mollified by the fact that the
program that I delegated my bank account to
could "only" re delegate by proxy.  If it was
untrustworthy I'm screwed in either case.

Some on the list (JonathanS and AlanK as I recall)
have suggested that your paper is simply showing
that capabilities can do something that it was
previously thought they couldn't do - regardless
of whether it was a good idea to use them so
(non-delegatable authorities).  However, my
understanding is that this is more than a
theoretical exercise for you.  You actually plan
to use such non-delegatability in a system.
You are defending the value of non-delegatable
authority for practical purposes in computer
systems.

Can you perhaps describe enough of your
thoughts to allow us to understand where such
non-delegatability would be useful in a
computer system?  You've mentioned MLS, but
that demands Mandatory Access Control (MAC)
as I understand it.  How can that stand up to
communicating conspirators?

Let me mention again that I appreciate
the opportunity to air this topic.  I
believe we've got our hands on the nut
of the value or not of the OCap model.
I would love to have this discussion in
person over a white board.

--Jed  http://www.webstart.com/jed-signature.html