[cap-talk] Confused Deputies in Capability Systems - not
Jed Donnelley
capability at webstart.com
Fri Feb 27 04:55:50 EST 2009
At 01:15 AM 2/27/2009, Toby Murray wrote:
>On Thu, 2009-02-26 at 23:49 -0800, Jed Donnelley wrote:
> > ...Horton was 2007. It took that long to show that something as
> fundamental
> > as auditing (who did what) could be done with capability-based
> > systems?
>
>The basic idea of Horton -- a membrane (global intermediary) that tracks
>delegations between users -- was implemented by KeySAFE -- a global
>intermediary labels capabilities as they move between domains etc. -- so
>KeySAFE could have done the auditing as well. To me, the novel point
>about Horton was that the interposition is transparent and that you
>shouldn't have the membrane making access decisions but merely keeping
>an audit log for later review.
Interesting comment. I wish we had heard a comment like that when
we were writing the Horton paper (sorry if we missed it). We don't
refer to anything about KeySAFE in the Horton paper. I must (in my
copious time) look more into KeySAFE to see what it shares in common
with the Horton mechanism. I remember the KeySAFE mechanism in the
context of MLS controls for KeyKOS - right? Didn't it have users
and objects with security levels and enforce the simple security
and star properties ala Bell and LaPadula? Sorry if I'm forgetting
more than I should.
Perhaps Bill F. (others?) could comment on the similarities between
KeySAFE and Horton?
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list