Chip Morningstar, <email@example.com>, writes:
> However, these credentials now provide a handle for a more ACL-like system
> to grab hold of, to express security intentions that I can use automated
> means to avoid violating. So if somebody gives me a capability along with
> an admonition "don't give this to anyone else" or "don't give this to
> Fred" or "only give this to members of the Birmingham Lunar Society",
> they have the means to express their admonition and I would have the
> means to comply with it, assuming it is my wish to do so.
This seems related to the claim by Ralph Hartley that ACLs can do one particular thing that capabilities can not. If Alice has a capability to Carol, she can permanently and irrevocably transfer it to Bob. With ACLs the best she can do is to proxy for Bob, making it impossible for her to irrevocably transfer the authority to access Carol.
Therefore ACLs can disallow irrevocable delegation while capabilities (by themselves) cannot.
It seems that fundamentally the reason this works is because ACL systems assume the notion of identity. Somehow when Alice connects to Carol in an ACL system, there is a fundamental difference from when Bob connects. It is impossible for Alice to transfer to Bob any sort of information which would allow him to pretend to be her when he connects.
This may be because Alice uses a physical device, part of the TCB, which uses biometric identification to make sure it is her. Or perhaps she merely has a secret which is somehow so costly to reveal that she would never do so.
Chip seems to be suggesting that this assumption, which is fundamentally an empirical one about what kind of devices and constraints exist in the real world, can be brought into the capability model as well, via credentials. Whatever means Alice would have used to prove her identity in the ACL world can be used to prove possession of a credential in the capability model.
The problem seems to be that in practice, when dealing with remote access across computer networks, it is difficult to enforce a strongly reliable identity system. Tamper-proof chips have been broken, time-based tokens can be lent out, biometric readers can be hacked. Certainly there are situations where identity controls work, particularly when dealing with human bodies and physical access to buildings or equipment. But across the net it is much more difficult to prevent identity transfer or theft.