Communicating Conspirators

hal@finney.org hal@finney.org
Thu, 18 Nov 1999 16:39:33 -0800


Chip Morningstar, <chip@communities.com>, writes:
> However, these credentials now provide a handle for a more ACL-like system
> to grab hold of, to express security intentions that I can use automated
> means to avoid violating. So if somebody gives me a capability along with
> an admonition "don't give this to anyone else" or "don't give this to
> Fred" or "only give this to members of the Birmingham Lunar Society",
> they have the means to express their admonition and I would have the
> means to comply with it, assuming it is my wish to do so.

This seems related to the claim by Ralph Hartley that ACLs can do one
particular thing that capabilities can not.  If Alice has a capability to
Carol, she can permanently and irrevocably transfer it to Bob.  With ACLs
the best she can do is to proxy for Bob, making it impossible for her to
irrevocably transfer the authority to access Carol.

Therefore ACLs can disallow irrevocable delegation while capabilities
(by themselves) cannot.

It seems that fundamentally the reason this works is because ACL systems
assume the notion of identity.  Somehow when Alice connects to Carol in
an ACL system, there is a fundamental difference from when Bob connects.
It is impossible for Alice to transfer to Bob any sort of information
which would allow him to pretend to be her when he connects.

This may be because Alice uses a physical device, part of the TCB, which
uses biometric identification to make sure it is her.  Or perhaps she
merely has a secret which is somehow so costly to reveal that she would
never do so.

Chip seems to be suggesting that this assumption, which is fundamentally
an empirical one about what kind of devices and constraints exist in
the real world, can be brought into the capability model as well, via
credentials.  Whatever means Alice would have used to prove her identity
in the ACL world can be used to prove possession of a credential in the
capability model.

The problem seems to be that in practice, when dealing with remote access
across computer networks, it is difficult to enforce a strongly reliable
identity system.  Tamper-proof chips have been broken, time-based tokens
can be lent out, biometric readers can be hacked.  Certainly there are
situations where identity controls work, particularly when dealing with
human bodies and physical access to buildings or equipment.  But across
the net it is much more difficult to prevent identity transfer or theft.

Hal