At 04:40 PM 3/6/00 , Ron Rivest wrote:
>(3) Although we didn't discuss it in the reading group, I also had a minor
> nit with your comparison with SPKI (page 24 of your paper, first full
> paragraph). Delegation within SPKI is certainly enforceable, in that
> a reference monitor can check whether or not a given chain of
> certificates includes an impermissable delegation. The only thing that is
> not enforceable is that you can't prevent someone from giving away their
> private keys. This is more than delegation, it is abdication, and
> corresponds more closely to the problem you have with loss of a vat key.
It's not a minor nit at all; it's a central and crucial issue for evaluating how expressive capabilities are compared to other security architectures. Tyler gives a correct summary of our un-enforceability claim:
Tyler wrote:
>Since the certificate chain included the delegation, we can assume
>that the delegator of the right *wants* to grant that right to the
>delegatee. In this case, there is no way to prevent the delegator from
>forwarding messages received from the delegatee.
In the SPKI context, the messages Tyler refers to are neither SPKI certificates or E messages, but simply whatever communication would have occurred between the SPKI-Subject exercising the right to use some resource and the verifier/host hosting the resource. Instead of communicating directly to the resource-host, the delegatee, Mallet in http://www.erights.org/elib/capability/conspire.html , instead communicates with a Message Laundry hosted by Bob. The message laundry then uses Bob's private key *only* for the purpose for relaying this communication to the resource-host as if it came from Bob. Since Bob can be sure the Message Laundry is using his key for only this purpose, Bob has delegated to Mallet only the authority he wishes to, rather than abdicating.
In the thread "Communicating Conspirators", rooted in http://www.eros-os.org/~majordomo/e-lang/1187.html, Ralph Hartley establishes that other security architectures, including some possible ACL systems, can enforce a subtle prohibition, having to do with delegation in the Communicating Conspirators scenario, that capabilities can neither express nor enforce: for Alice to prohibit Bob from delegating the power to Mallet in such a way that Bob does not have the ability to revoke that delegation. To put it another way, while one cannot construct a security architecture in which Alice can prevent Bob from delegating to his communicating conspirator Mallet, one can construct a security architecture in which Alice can prevent Bob from preventing Bob from preventing Mallet from continuing to use this power, even though Alice can't achieve this only with pure capabilities.
As with outward bit confinement, as an engineer I'm willing to give up on some theoretical possibilities if I feel their cost exceeds their value. Despite Ralph's demonstration of this subtle expressiveness gap of pure capabilities, E remains a pure capability architecture.
Cheers,
--MarkM