[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Java programs, etc.

>  [...] the only person who can really specify
> a "custom intersection program" should be the one who is actually
> the verifier at the end of the chain (i.e. the original authorizer).  
> Parties in the middle of the chain should not be able to do such a
> thing...
> 	Ron Rivest

In a discussion last year, Marv Schaefer presented the following
guidelines for capabilities models.  The questions seem almost
obvious, but when they can be answered in a simple way for an
authorization/delegation/capabilities system, then probably that
system is in good shape.  Especially, where do capabilities they come
from, and who has capability-building authority?

-- Marianne

		Notes on Capabilities Model

Presented by Marv Schaefer on May 1st 1996 at the Java Security

[What you're proposing] Looks like a capability model.

 + Rights appear to be validated by presentation of a token,
   e.g. attachment of debugger to client via socket.

 + "ACLs" appear to bear rights of applet to classes, objects, files,
   hosts, etc.

So, questions are:

 + is posession of capability sufficient or is something else needed ?

 + where do capabilities come from ?

 + what has capability-building capability ?

 + how and when can capabilities be:
   - passed ?
   - stored ?
   - reused ?
   - augmented ?
   - attenuated ?
   - revoked ?

 + are capabilities inherited ?

 + are capabilities typesafe ? scrutable ? inscrutable ? to what ?

 + define "domain" ?

Follow-Ups: References: