[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ACLs vs. Capabilities

At 11:22 3/1/96, Jueneman@gte.com wrote:
>>It seems to me that Carl Ellison is describing the capability model
>>of security while Bob Jueneman is assuming an Access Control List (ACL)
>>model of security.

>I'm not sure that Carl meant to
>limit his model to the capability-only view,

not necessarily, but it's a close approximation.

My model is actually very close to the one you describe as:

>The view you ascribed to me does describe a point of view that some withinthe
>ANSI X9F1 group had at one time (and perhaps some still do). They were
>assuming, as you said, a basic identity certificate that might be issued by
>some neutral CA, and then the organization that wanted to control some
>particular function (your basic library card model) would issue an attribute
>certificate that would refer back to the identity certificate and grant some
>additional right or capability.

My main departure from this model is that I do without the initial identity
certificate, relying instead on the stronger binding between a person and
his key that comes from proofs of his access to the private key.  Instead
of referring back to an identity certificate, I refer back to the public
key which is a self-certificate, uniquely identifying a human being through
his actions.  [That is, the naked PK does nothing to bind that PK to a dead
body in the morgue, while an identity certificate might do that.]

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |