[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Java programs, etc.
> [...] the only person who can really specify
> a "custom intersection program" should be the one who is actually
> the verifier at the end of the chain (i.e. the original authorizer).
> Parties in the middle of the chain should not be able to do such a
> Ron Rivest
In a discussion last year, Marv Schaefer presented the following
guidelines for capabilities models. The questions seem almost
obvious, but when they can be answered in a simple way for an
authorization/delegation/capabilities system, then probably that
system is in good shape. Especially, where do capabilities they come
from, and who has capability-building authority?
Notes on Capabilities Model
Presented by Marv Schaefer on May 1st 1996 at the Java Security
[What you're proposing] Looks like a capability model.
+ Rights appear to be validated by presentation of a token,
e.g. attachment of debugger to client via socket.
+ "ACLs" appear to bear rights of applet to classes, objects, files,
So, questions are:
+ is posession of capability sufficient or is something else needed ?
+ where do capabilities come from ?
+ what has capability-building capability ?
+ how and when can capabilities be:
- passed ?
- stored ?
- reused ?
- augmented ?
- attenuated ?
- revoked ?
+ are capabilities inherited ?
+ are capabilities typesafe ? scrutable ? inscrutable ? to what ?
+ define "domain" ?