[cap-talk] Hybrid systems irrelevant to cap/acl interop (was: Hybrid ACL/capability systems are vulnerable to confused deputy)

[Stiegler, Marc D]

I think we can safely put to rest any concern about interoperability of cap and acl systems that would stimulate one to think about an explicitly hybrid system. Fact is, caps work just fine in the presence of acls, mainly by completely ignoring them and exposing deficiencies of the acls into the bargain.

So, suppose you have a digital resource protected by an acl; Alice and Bob can update the resource, and Carol can view it. Carol of course cannot edit the acl entries -- that would give her de facto  edit authority, by editing her own entry. So the acl "prevents" Carol from further sharing her view authority with someone else.

There are 2 problems with this. First, of course, preventing Carol from further sharing inhibits secure cooperation, harming the ability of the participants to get their work done. Second, of course, is that it doesn't really prevent carol from further sharing. Carol can always share her credentials or set up a VNC connection. But the acl does makes it awkward and unpleasant to share (so awkward and unpleasant that only malicious people stealing high-value authorities would bother), until a cap system is introduced that manages resources of the same type. Once a cap system managing such resources is built, carol simply bangs up a revocable forwarder to the resource and shares that. No muss, no fuss.

The outcome of this unintegrated blend of acls and caps is, the caps win. People get their work done using the cap system, and the acl system becomes irrelevant. Creator/owners of resources eventually stop bothering to fiddle with the acls, they just use the caps for everything.

--marcs