[cap-talk] Webkeys vs. the web
Karp, Alan H
alan.karp at hp.com
Tue Mar 31 12:28:26 EDT 2009
Jed Donnelley wrote:
> When you say "exposing them to the user" I assume you mean as textual
> URLs that would tempt users into their cavalier use patterns.
> There the underlying problem was that capabilities as data are
> security sensitive, essentially like passwords. It seems to me that
> the problem here is the same.
Yes, but worse. Users don't think of URLs as being sensitive.
> There the basic approach was to insure that capabilities only came in
> and (more importantly) went out in externally usable form through a
> single controlled interface. That interface had access to secret
> cryptographic data (in that case a public/private key pair) that was
> used to protect the capabilities while they were manipulated locally
> in an internal form. If they were inadvertently exposed in their
> internal form (e.g. in a system dump, on a recycled disk, leaked in a
> message with other non-sensitive data, etc.) then such an exposure
> wouldn't result in a compromise of authority.
> I suggest that approach as a possible solution to this problem.
That may not be necessary if the user never sees the webkeys. I believe we can build a UI where webkeys are only accessed via UI widgets, such as buttons, which is what we did for SCoopFS.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
More information about the cap-talk