[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rant on Capability Security [LONG]

At 08:58 AM 4/18/97 -0400, jar@ornl.gov wrote:
>I  think you are missing some of the power of SPKI as I envision it. The
>is that there are lots of situations where authority is not mapped
directly onto 
>file (or device) access permissions. If the latter were adequate, the CMW 
>solution probably covers most of your points.

I think I understand some of the power of SPKI as it has been evolving in
the last month, and it scares me.  I don't think I will be able to reason
correctly about the security relationships, particulary at 3AM while
fighting a fire.  I tried to keep my use of SPKI simple, and directly
mapped to capabilities, so I would be able to use my 25 years of experience
with capabilities to reason about the security relationships.  YMMV

>Instead, I see executable programs (single entities) that do different
>according to the certificates presented to it when it starts to run. My
>of remote access to online facilities is a good example. A grade-school
>might be able to view the output of an electron microscope, but not have
>to the focus controls. A researcher could do everything.

This approach maps well to different capabilities, each with different
authority over a single object.  In your example, the researcher would have
all the authorities, while the grade-school student would have only the
"view" authority.

Bill Frantz                                  Electric Communities
Capability Security Guru                     10101 De Anza Blvd.
frantz@communities.com                       Cupertino, CA 95014
408/342-9576                                 http://www.communities.com