[cap-talk] struggling to learn what techniques supplant passwords

David Wagner daw at cs.berkeley.edu
Wed Nov 2 00:46:42 PDT 2011

Dan Connolly  wrote:
> But after reading pretty much all of the Walnut book, Robust Composition,
> the Joe-E papers, etc. the closest thing I found to any specific suggestion
> as to what techniques supplant passwords [....]

I'm a pragmatist.  I believe you should use capabilities if they are
useful, and use other mechanisms where they are useful.

In this context, I see nothing wrong with a web service where users log in
using a username and password.  Pragmatically, I suspect username+password
based authentication is probably going to be the best solution in your

Authentication on the web is a hard problem.  There are tons of proposals
out there for authentication without passwords.  Some are promising,
but they all have various tradeoffs.  Capabilities folks don't have any
silver bullet here that cuts through the mess.  In my opinion, the utility
from capabilities is more likely to be felt in other areas (e.g., in how
you structure the web app code for least privilege, in enabling mashups),
rather than in magically solving the web authentication problem.

Some uses of capabilities in web applications that I have seen
suggested or proposed:

- Some folks have proposed using webkeys (URLs that are capabilities) as a
  way of enabling fine-grained mashups and delegation between web services.
  However, this may or may not be relevant to your patient portal; you
  may not have a need to support mashups or delegation.  If you don't have
  that problem, you don't need that solution.

- Some folks have proposed using webkeys as a login or authentication
  mechanism.  After creating an account, the system would give you a webkey
  (a secret URL) that you can bookmark.  Then to log in tomorrow, you
  click on the bookmark.  However, this model is not likely to be familiar
  to your users, so it may have some usability issues.  Also, it is not
  readily portable across computers, for users who access the website from
  multiple computers.  In addition, it is new and unusual, so adopting it
  is taking a bigger risk: if it turns out to be problematic, people will
  blame you, whereas no one gets blamed for deploying username+password
  based authentication.  (These are challenges for many alternative
  web authentication mechanisms; they are among the factors that keep
  usernames+passwords popular on the web today.)

Bottom line: Capabilities don't supplant passwords, not really, at
least not in today's world.

More information about the cap-talk mailing list