[E-Lang] [EROS-Arch] Re: Interaction Design for End-User Secu
rity
Karp, Alan
alan_karp@hp.com
Tue, 10 Apr 2001 08:18:14 -0700
"Karp, Alan" <alan_karp@hp.com> writes:
> > >Revoking capabilities does require a proxy service, yes, and that
> > >proxy service can retain records of which proxies are created for
> > >whom.
> >
> > This approach doesn't sound scalable. Doesn't it require a proxy per
> > capability per process, at least in the most general case?
>
> It requires at least one proxy capability per capability per
> compartment. There could be any number of processes in a compartment.
>
> Each proxy capability should probably be implemented with a separate
proxy.
>
So, all processes in the compartment have the same privileges. Isn't that
an issue for enforcing least privilege?
_________________________
Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp/