[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ACLs vs. Capabilities
At 11:22 3/1/96, Jueneman@gte.com wrote:
>>It seems to me that Carl Ellison is describing the capability model
>>of security while Bob Jueneman is assuming an Access Control List (ACL)
>>model of security.
>I'm not sure that Carl meant to
>limit his model to the capability-only view,
not necessarily, but it's a close approximation.
My model is actually very close to the one you describe as:
>The view you ascribed to me does describe a point of view that some withinthe
>ANSI X9F1 group had at one time (and perhaps some still do). They were
>assuming, as you said, a basic identity certificate that might be issued by
>some neutral CA, and then the organization that wanted to control some
>particular function (your basic library card model) would issue an attribute
>certificate that would refer back to the identity certificate and grant some
>additional right or capability.
My main departure from this model is that I do without the initial identity
certificate, relying instead on the stronger binding between a person and
his key that comes from proofs of his access to the private key. Instead
of referring back to an identity certificate, I refer back to the public
key which is a self-certificate, uniquely identifying a human being through
his actions. [That is, the naked PK does nothing to bind that PK to a dead
body in the morgue, while an identity certificate might do that.]
- Carl
+--------------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430 http://www.cybercash.com/ |
|2100 Reston Parkway PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091 Tel: (703) 620-4200 |
+--------------------------------------------------------------------------+