[cap-talk] Hybrid systems irrelevant to cap/acl interop (was: Hybrid ACL/capability systems are vulnerable to confused deputy)

Jed Donnelley capability at webstart.com
Thu Feb 5 03:05:36 EST 2009 

At 09:54 AM 2/3/2009, Stiegler, Marc D wrote:
>I think we can safely put to rest any concern about interoperability 
>of cap and acl systems that would stimulate one to think about an 
>explicitly hybrid system. Fact is, caps work just fine in the 
>presence of acls, mainly by completely ignoring them and exposing 
>deficiencies of the acls into the bargain.
>
>So, suppose you have a digital resource protected by an acl; Alice 
>and Bob can update the resource, and Carol can view it. Carol of 
>course cannot edit the acl entries -- that would give her de 
>facto  edit authority, by editing her own entry. So the acl 
>"prevents" Carol from further sharing her view authority with someone else.
>
>There are 2 problems with this. First, of course, preventing Carol 
>from further sharing inhibits secure cooperation, harming the 
>ability of the participants to get their work done. Second, of 
>course, is that it doesn't really prevent carol from further 
>sharing. Carol can always share her credentials or set up a VNC 
>connection. But the acl does makes it awkward and unpleasant to 
>share (so awkward and unpleasant that only malicious people stealing 
>high-value authorities would bother), until a cap system is 
>introduced that manages resources of the same type. Once a cap 
>system managing such resources is built, carol simply bangs up a 
>revocable forwarder to the resource and shares that. No muss, no fuss.

Ah, sorry.  I hadn't noticed this message (with a new subject) when I 
sent mine:

http://www.eros-os.org/pipermail/cap-talk/2009-February/012143.html

that also argues that we don't need hybrid systems to transition from 
ACLs to capabilities.

>The outcome of this unintegrated blend of acls and caps is, the caps 
>win. People get their work done using the cap system, and the acl 
>system becomes irrelevant. Creator/owners of resources eventually 
>stop bothering to fiddle with the acls, they just use the caps for everything.
>
>--marcs

I believe we are making essentially the same point, though perhaps 
your discussion was more eloquent MarcS.

Still, I do think that my point about cap systems being more suitable 
for widespread (global) application where large shared ID spaces are 
awkward (impossible?) is also relevant.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list