[cap-talk] Persistence as a cap value (was: Re: ...PLASH discussion)

[Jed Donnelley]

At 03:46 PM 3/11/2008, Mark Seaborn wrote:
>Jed Donnelley <capability at webstart.com> wrote:
>
> > How do I run "chmod" under PLASH?
>
>The FsObjReal objects [1] (the basic level wrapping POSIX to provide
>an object-based interface) pass chmod() calls on to the underlying
>filesystem in most cases...

When I asked the question I just hadn't thought through how
the above (basic idea - pass through access control calls to
the underlying persistent objects) must be true.

The fact that persistence issues keep surprising (me anyway,
others?) suggests to me that perhaps this major classification
category for capability system may not be given enough emphasis/
clarity.  I believe that in my heart I always think of capability
systems as manipulating persistent capabilities and keep being
surprised when I find that many (most?) aren't.

Non-persistent capability systems like PLASH and perhaps Mach
is another good example (?) can achieve all the value of
POLA that we discuss so much - at the level of running programs.

What can't they achieve?  I find it interesting that I've never
really seriously considered this question before.  Perhaps others
have and can point me to some discussion?

My off hand thought is that they can't achieve "much" of
what I consider valuable and important in capability systems,
but if that isn't POLA at the programming level, then what
is it?

Part of it is what I suppose one could call "POLA" at the
level of people.  However, I certainly accept that nearly
any access control mechanism can achieve "POLA" at the
people level.  So, what is it that I object to about
mechanisms like ACLs at the level of people?  This seems
to me a particularly poignant question considering that
I went to so much trouble pushing Horton to achieve
with capabilities the sorts of facilities (selective
revocation, audit/logging, etc.) that ACLs naturally
provide.

I think for me the main issue is that of how access is
delegated.  When I refer to access in the previous sentence
I mean persistent access - that is, not a form of access
that will be reset on a system reboot or any other sort
of non explicit means.  A means of delegation that can
be counted on as a "permanent" (only changed by intent)
form of access control management.

For me the most natural form of access delegation
is via a reference in a message.  Is that because I
think like a program ;-) ?  I don't think so, but
then perhaps I'm not the best judge.  I believe that
such a delegation mechanism is just the most parsimonious
and "natural".  I say exactly what I'm delegating (access
to whatever the reference refers to) and "who" I'm
delegating it to - the receiver of the message.  Sort
of like sending a physical key in a postal letter.

In some sense the receiver of any message is always
a program, but I may know that by doing a delegation
by a program acting on my behalf (the sender) to a
particular receiver that the net effect is a delegation
of access to some person.  A persistent delegation of
such an access.  To me sending an email that includes
a 'capability' (e.g. a Webkey) is a very natural form
of delegation, which is in turn what seems to me to
be a very simple and easily understood for of access
control "management" - at least for the initial
delegation, revocation or after the fact (of
delegation) management is another issue (e.g. a
Horton UI).

I'm interested to hear from others how they feel about
this persistence issue - in terms mostly of how
important they feel it is to the value of capability
systems.  If there's a big split on this topic I
may find that I've been barking up the wrong tree - at
least a different tree than I thought I was barking up.

While I think network level capabilities (e.g. Webkeys)
can provide value in being able to provide an access
control scheme at the network level that is independent
of a shared notion of "who"s (identities), I've always
thought of such a network "capability" mechanism as
providing much more - but now I'm wondering just how
much that feeling comes from my own (perhaps warped?)
intuition about what is "natural" in terms of a user
interface for access control management.  Do others
find this topic worth commenting on?

--Jed  http://www.webstart.com/jed-signature.html