[cap-talk] Confused Deputies in Capability Systems - not

Jed Donnelley capability at webstart.com
Fri Feb 27 11:58:42 EST 2009

At 06:25 AM 2/27/2009, Marcus Brinkmann wrote:
>Bill Frantz wrote:
> > marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) on 
> Thursday, February 26, 2009 wrote:
> >
> >> Capabilities can only survive in an isolated, homogeneous environment.  I
> >> think that this is a serious limitation, which in my opinion severely
> >> restricts the applicability of capability theory.
> >
> > This statement is wrong on the face of it. Any data-as-capability (e.g.
> > WebKeys, SPKI authorizations, etc.) can be securely passed through systems,
> > such as encrypted email, that are completely unaware of capabilities, let
> > alone the precise capability system they represent.
>That is just a transport issue, and not what I meant.  If you send 
>me a capability-as-data
>over any channel, what can I do with it?  Nothing useful, until I 
>feed it back into a system that
>accepts the data as a valid capability for anything.

Of course.  In order to make use of any object reference one must be 
able to communicate with the server of the object, whether using 
capability or IBAC access controls.  This is a problem?

>For that to happen, the system must somehow be in rather intimate 
>contact (and if only by following the same P2P protocol) with the 
>system from which the capability originated.

TCP and http for example with YURLs/Web keys?  Yes, communication is 
needed to the application level protocol, but again that is needed 
for any resource sharing, regardless of access control approach.

>It does not need to be the same system, but surely all such systems 
>form a common domain.

Heavens no.  That would be like saying that all Web servers form a 
common domain.  Let's hope not.

I hope I'm not misunderstanding something fundamental here.  This 
line of reasoning makes no sense to me.

>This domain is the isolated, homogeneous environment I am talking about.

There is no isolation with capabilities as data (or as descriptors 
actually, but there I agree that more software is needed) - except in 
so far as there is isolation by the ability to communicate data (e.g. 
firewalls or lack or hardware communication ability or, yes, by lack 
of shared protocols to the application level).  Any such isolation by 
inability to communicate data inhibits any sort of resource sharing, 
whether using capability or IBAC access control means.

>So, yes, it is possible to extract a capability and reinsert it into 
>the capability system it came
>from, but you can not extract a capability and use it outside of the 
>capability system it came from.

As long as you can communicate to the server of the resource (needed 
for capability or IBAC resource sharing) you can.

Sorry, but I don't understand what you're getting at Marcus.  Perhaps 
others can help.

--Jed  http://www.webstart.com/jed-signature.html 

More information about the cap-talk mailing list