[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rant on Capability Security [LONG]

Bill Frantz writes:
> I think I understand some of the power of SPKI as it has been evolving in
> the last month, and it scares me.  I don't think I will be able to reason
> correctly about the security relationships, particulary at 3AM while
> fighting a fire.  I tried to keep my use of SPKI simple, and directly
> mapped to capabilities, so I would be able to use my 25 years of experience
> with capabilities to reason about the security relationships.

I will point out that Matt Blaze was making repeated points at our
meeting in Memphis about assuring that we don't stumble down paths
that would make proofs of the properties of a certificate hard.

I suspect that we will likely end up having to go through a pass of
eliminating unneeded features that do things like making it difficult
to reason about security relationships or which make the system too
hard to implement.


Follow-Ups: References: