[cap-talk] Confused Deputies in Capability Systems

John Carlson john.carlson3 at sbcglobal.net
Tue Feb 10 23:32:55 EST 2009

On Feb 10, 2009, at 11:17 AM, Karp, Alan H wrote:

> In our reference implementation, the service validates the  
> certificate via calls to library routines.  As you note, that's far  
> from the best approach.  In a real deployment, such as those the  
> Navy uses, the request is intercepted by a Policy Enforcement Point  
> (PEP), which forwards the request to a Policy Decision Point (PDP).   
> The PDP does the verification and sends the access decision to the  
> PEP.  The PEP forwards the request to the service if the decision is  
> to allow access.  The PEP and PDP are part of the service's reliance  
> set.

Is the reliance set the same as a TCB?  How is a reliance set related  
to a TCB?  It seems like a reliance set is more like a guard--one big  
if then else statement, possibly inserted into the SOAP stream through  
aspects.  If it is done using aspects, this would be another case  
where aspects help capabilties, when you would normally think of them  
as defeating capabilities--or perhaps they are  proxies that can be  
thought of as aspects.


More information about the cap-talk mailing list