[cap-talk] Webkeys vs. the web

Karp, Alan H alan.karp at hp.com
Tue Mar 31 12:28:26 EDT 2009

Jed Donnelley wrote:
> When you say "exposing them to the user" I assume you mean as textual
> URLs that would tempt users into their cavalier use patterns.
> There the underlying problem was that capabilities as data are
> security sensitive, essentially like passwords.  It seems to me that
> the problem here is the same.
Yes, but worse.  Users don't think of URLs as being sensitive.
> There the basic approach was to insure that capabilities only came in
> and (more importantly) went out in externally usable form through a
> single controlled interface.  That interface had access to secret
> cryptographic data (in that case a public/private key pair) that was
> used to protect the capabilities while they were manipulated locally
> in an internal form.  If they were inadvertently exposed in their
> internal form (e.g. in a system dump, on a recycled disk, leaked in a
> message with other non-sensitive data, etc.) then such an exposure
> wouldn't result in a compromise of authority.
> I suggest that approach as a possible solution to this problem.
That may not be necessary if the user never sees the webkeys.  I believe we can build a UI where webkeys are only accessed via UI widgets, such as buttons, which is what we did for SCoopFS.

Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029

More information about the cap-talk mailing list