[cap-talk] Comparing models
Karp, Alan H
alan.karp at hp.com
Mon Jun 13 09:39:55 PDT 2011
I've changed the subject line to reflect the topic being discussed.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
> -----Original Message-----
> From: Karp, Alan H
> Sent: Tuesday, June 07, 2011 2:31 PM
> To: 'David Chadwick'
> Cc: Hoyt L Kesterson II
> Subject: RE: We met at the Cornerstones of Trust conference and...
>
> That's quite different from the kind of RBAC systems you see presented
> at places like the RSA conferences and what I see in corporations. For
> example, HP used to have 850+ roles, which were becoming unmanageable.
> Folks in my Lab used some clever mathematics to reduce that to a bit
> over 200 at the cost of modest over provisioning.
>
> I spoke (typed!) too soon on my previous reply. We're not in full
> agreement, just mostly in agreement. The difference is that a
> capability combines designation of an object with the right to use it.
> What you described separates them, a string for the file name and a
> delegation of a role for the authorization. That split requires extra
> care to avoid using the wrong role when accessing a resource. That's
> not a showstopper, but it is worth thinking about. Our ZBAC approach,
> http://www.hpl.hp.com/techreports/2007/HPL-2007-105.html, allows a
> similar split for invoking legacy services. In our approach, the
> resource is designated by a URI, and the same URI appears in the SAML
> authorization assertion. How does the invoked service know which role
> to use for each access in your approach?
>
> Capability systems use a pattern called "rights amplification" that is
> similar to needing two or more roles to get permission to do something.
> The classic example is a sealed box containing an object. The only way
> to invoke methods on the object is to have both a capability to the box
> and a capability that unseals it. The difference is that one of the
> roles might carry permissions on its own, while neither capability can
> do anything on its own.
>
> ________________________
> Alan Karp
> Principal Scientist
> Virus Safe Computing Initiative
> Hewlett-Packard Laboratories
> 1501 Page Mill Road
> Palo Alto, CA 94304
> (650) 857-3967, fax (650) 857-7029
> http://www.hpl.hp.com/personal/Alan_Karp
>
>
More information about the cap-talk
mailing list