[cap-talk] capability networks compared with ACL networks?
john.carlson3 at sbcglobal.net
Thu Feb 5 23:41:51 EST 2009
I just finished reading:
That was the first time I have heard of a DoC (Denial of Capability)
The gist of it is that you send enough capability requests to prevent
sending capability requests. I guess the question remains how often
to send a capability request. Is this typical something that happens
a lot in
capability networks? I would think that the capabilities might be
stored for long
term use on clients. What is the practice?
On Feb 5, 2009, at 9:01 PM, John Carlson wrote:
>> One thing that bothers me about his essay is that it only addresses
>> access. IMHO, file access is a relatively narrow and uninteresting
>> part of
>> the access control problem. More important is access control for
>> entities, call them servers, daemons, databases etc. These include
>> such as CVS, MySQL, Apache etc. etc. Perhaps he will discuss them
>> when he
>> discusses the setuid bit. It still seems likely to me that the
>> result will
>> be a separate form of access control for active entities, with
>> syntax and semantics. Oh well.
> Don't forget access to network ports--perhaps a mixture between a
> file and an active entity.
> In particular, I am thinking of bind, where a port is bound to an
> active entity. I only know
> Berkeley and Unix sockets, ideas from other networks would be
> Maybe everything should be thought of as a port--some place where
> active entities service and get serviced, and
> where active entities rest.
> Or perhaps you prefer socket--where things hook up to get the
> current flowing.
> Are there any ideas from the OSI model which have been forgotten?
More information about the cap-talk