Mark S. Miller
Mon, 15 Nov 1999 11:52:31 -0800
At 07:20 AM 11/10/99 , Ralph Hartley wrote:
>You are making the logical error of assuming that because your
>notation can not express a difference that there is no difference.
Hi Ralph, I find it hard to imagine how you think I'm making that mistake.
On that very page I say:
>This unenforceable prohibition is the only case that ACLs can express but
>capabilities cannot. However, neither ACLs nor any force in the universe can
>prevent what is here prohibited, so this extra expressiveness only gives the
>users a false sense of security -- misleading them about what inabilities of
>the other players they may count on.
I think I'm pretty clear here that ACLs can express this & capabilities
cannot. I am not claiming that it's unenforceable *because* capabilities
cannot express it. Rather I'm saying that, *since* it's unenforceable, for
other reasons, it's fortunate that capabilities can't express it, and
unfortunate for ACLs that they can. It is a bug, not a feature, for a
security system to allow the expression of unenforceable prohibitions. The
resulting confusion makes everyone less safe.
Or did I misunderstand what error you think I'm making?
>There are two unstated assumptions that you appear to make.
> All communication is two way and continuous.
Not unstated at all. Part of the definition of this situation,
Communicating Conspirators, is "Bob and Mallet are properly in
communication". As opposed to Confinement
http://www.erights.org/elib/capability/confinement.html , for which the
corresponding part of the definition is "Mallet and Bob are not supposed to
be able to communicate." Perhaps you missed the orienting page
http://www.erights.org/elib/capability/delegations.html setting up and
distinguishing the four situations?
> All powers can be described as the ability to send or receive a
Within the electronic world, I see no alternative. I suspect this is where
our real disagreement lies.
>The first assumption is the less problematical one. Depending on how
>it is violated it can result in a great number of different cases
>which may or may not be describable in terms of capabilities, but it
>does not change the results of the question you pose.
Violating the first assumption -- by trying to prevent various kinds of
communication between Mallet and Bob -- does in fact have many cases, which
to my mind are the various cases of confinement. However, I have no ideas
whether the distinctions I would make among confinement cases maps at all to
the cases you have in mind. Since you agree it does not bear on the matter
at hand, we can defer this.
>The other assumption is more important. Consider the following
>Alice wishes to allow Bob, but not Mallet (who is in communication
>with Bob) to have sex with her. Unfortunately Bob's character may not
>be as good as she thinks; he could actually be working for Mallet who
>has designs on Alice.
If you are speaking of the physical world, sure. If Alice has the lights
on, she can tell with adequate probability who has walked into her bedroom.
Bob and Mallet between them do not have adequate technology for Bob to
enable Mallet to use his appearance and smell (or whatever other
authentication cues Alice uses) in order to allow Mallet to have sex with
Alice while Alice thinks it is Bob.
However, this isn't the physical world we are talking about here -- it is
the world inside of computation. The corresponding analogy might be phone
sex. Bob would be the handsome stupid fellow with the small nose. Mallet
would by Cyrano De Bergerac passing messages to Bob for Bob to read.
>Clearly the capability model has no way of dealing with, or even
>properly talking about, this situation. Fortunately ACLs can handle
ACLs can *express* this easily. I said this explicitly. My claim is that
this prohibition is unenforceable. Nothing has any way to handle it, but
ACLs have a way to pretend to handle it. In the electronic world, Alice
cannot authorize a person, she can only authorize computation supposedly
acting on behalf of that person. For purposes of this argument, we can even
drop the "supposedly".
In an ACL system, if she authorizes computation operating on behalf of Bob's
principle, and Bob's principle is not prevented from putting Bob in
communication with Mallet, then *how* can an ACLs system actually prevent
Bob from enabling Mallet to do whatever Alice enabled Bob's principle to do?
Until you explain *how* this proxying of access is preventable, in an ACL
system or any other system, you haven't challenged anything I said.
>I can easily think of numerous (though less graphic) situations where
>I might want to grant a non-transferable power. This is why the word
>"Non-transferable" appears in so many contracts. Contrary to common
>belief, lawyers are not paid to litigate meaningless distinctions
>(though sometimes they do).
I have no doubt that preventing delegation among communicating conspirators
is something many would want -- including myself! -- if one could find a
meaningful definition of some such thing that could actually be prevented.
If you have one, I'd be delighted. Please reread carefully my two
descriptions, of the allowed and of the prohibited situations. Since you
are claiming there is a meaningful distinction to be found -- in the
electronic world -- either you can explain to me why these two are not
equivalent, or you can offer alternate descriptions.
>Of course if powers are restricted to consist only of the ability to
>communicate, then there is no distinction since communication is
>transitive. But this restriction rules out a vast part, perhaps a
>majority of things that security is needed for.
Isn't it the case that whatever powers a computational entity has, it
exercises those powers by issuing some kind of invocation or command? Is
not that invocation or command described by information that is somehow
communicated to an underlying system that can bring it about? For example,
a process under an operating system exercises powers by performing a system
call. This communicates only information across the user/system boundary.
If Bob can exercise his authorized powers only by communicating information
to the operating system, why can't Mallet adequately instruct Bob also by
communicating only information to Bob? If Mallet can instruct -- only by
communicating information -- Bob to issue the invocation or command Mallet
is interested in, how is that different, for Mallet's purposes, from Mallet
issuing the invocation or command himself?
Of course, it's possible I've completely misunderstood you. If so, I hope
this message gives you enough understanding of my confusion that you can