[cap-talk] Password capabilities ??
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Tue Feb 10 09:48:21 EST 2009
Jed Donnelley wrote:
> At 09:53 AM 2/6/2009, Sandro Magi wrote:
>> A password capability is an identity token of sorts,
>> in which case you've turned your service into an ACL system with the
>> same possibility for confused deputies, and must therefore vet the
>> arguments.
>
> I don't understand the above. You must mean something by "password
> capability" other than what I've understood by that terminology in the past.
I think the correct term for a capability used for identity-based
access checks is "access token", as used in Lampson's Protection paper.
(Obviously this has all the usual weaknesses of IBAC.)
--
David-Sarah Hopwood ⚥
More information about the cap-talk
mailing list