[cap-talk] Webkeys vs. the web

Jed Donnelley capability at webstart.com
Tue Mar 31 12:15:57 EDT 2009

At 08:43 AM 3/31/2009, Karp, Alan H wrote:
>The problem I have with this scheme and others proposed on this list 
>is that people have developed certain use patterns for URLs that are 
>incompatible with using URLs to carry authority.  Just the other 
>day, I sent the link to a news item I saw at Schwab.  Since I was 
>logged in, there was also a link on the page to where I manage my 
>account.  Had this been a webkey system, my money might be 
>gone.  (Oh wait, that already happened.)
>I have become convinced that we cannot treat webkeys as normal URLs 
>because people have become too used to sharing them.  I believe that 
>we need to develop a UI that uses webkeys without exposing them to the user.

Good point and good humor.

When you say "exposing them to the user" I assume you mean as textual 
URLs that would tempt users into their cavalier use patterns.

This makes me think of the base problem that was addressed in the 
Managing Domains paper:


There the underlying problem was that capabilities as data are 
security sensitive, essentially like passwords.  It seems to me that 
the problem here is the same.

There the basic approach was to insure that capabilities only came in 
and (more importantly) went out in externally usable form through a 
single controlled interface.  That interface had access to secret 
cryptographic data (in that case a public/private key pair) that was 
used to protect the capabilities while they were manipulated locally 
in an internal form.  If they were inadvertently exposed in their 
internal form (e.g. in a system dump, on a recycled disk, leaked in a 
message with other non-sensitive data, etc.) then such an exposure 
wouldn't result in a compromise of authority.

I suggest that approach as a possible solution to this problem.

--Jed  http://www.webstart.com/jed-signature.html 

More information about the cap-talk mailing list