[cap-talk] Password capabilities ??
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Tue Feb 10 09:49:45 EST 2009
David-Sarah Hopwood wrote:
> Jed Donnelley wrote:
>> At 09:53 AM 2/6/2009, Sandro Magi wrote:
>>> A password capability is an identity token of sorts,
>>> in which case you've turned your service into an ACL system with the
>>> same possibility for confused deputies, and must therefore vet the
>>> arguments.
>> I don't understand the above. You must mean something by "password
>> capability" other than what I've understood by that terminology in the past.
>
> I think the correct term for a capability used for identity-based
> access checks is "access token", as used in Lampson's Protection paper.
Sorry, I meant to say "access key".
> (Obviously this has all the usual weaknesses of IBAC.)
--
David-Sarah Hopwood ⚥
More information about the cap-talk
mailing list