[cap-talk] Webkeys vs. the web
capability at webstart.com
Tue Mar 31 12:15:57 EDT 2009
At 08:43 AM 3/31/2009, Karp, Alan H wrote:
>The problem I have with this scheme and others proposed on this list
>is that people have developed certain use patterns for URLs that are
>incompatible with using URLs to carry authority. Just the other
>day, I sent the link to a news item I saw at Schwab. Since I was
>logged in, there was also a link on the page to where I manage my
>account. Had this been a webkey system, my money might be
>gone. (Oh wait, that already happened.)
>I have become convinced that we cannot treat webkeys as normal URLs
>because people have become too used to sharing them. I believe that
>we need to develop a UI that uses webkeys without exposing them to the user.
Good point and good humor.
When you say "exposing them to the user" I assume you mean as textual
URLs that would tempt users into their cavalier use patterns.
This makes me think of the base problem that was addressed in the
Managing Domains paper:
There the underlying problem was that capabilities as data are
security sensitive, essentially like passwords. It seems to me that
the problem here is the same.
There the basic approach was to insure that capabilities only came in
and (more importantly) went out in externally usable form through a
single controlled interface. That interface had access to secret
cryptographic data (in that case a public/private key pair) that was
used to protect the capabilities while they were manipulated locally
in an internal form. If they were inadvertently exposed in their
internal form (e.g. in a system dump, on a recycled disk, leaked in a
message with other non-sensitive data, etc.) then such an exposure
wouldn't result in a compromise of authority.
I suggest that approach as a possible solution to this problem.
More information about the cap-talk