<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Feb 11, 2015 at 10:03 AM, Nico Williams <span dir="ltr"><<a href="mailto:nico@cryptonector.com" target="_blank">nico@cryptonector.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Well, but capability tokens can be passed around, no?</blockquote><div><br></div><div>It depends!</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Impersonation happens to be a common mechanism. So now we need to express policy<br>
about who can be given authorization to do any particular thing to any<br>
particular resource, and this begins to resemble ACLs. And/or you can<br>
audit the state of a running system (which is difficult).</blockquote><div><br></div><div>Revocability and confinement are two popular topics with capabilities, and yes, there are many solutions (especially with Macaroons). I suggest reading Mark Miller's paper "Capability Myths Demolished":</div><div><br></div><div><a href="http://zesty.ca/capmyths/usenix.pdf" target="_blank">http://zesty.ca/capmyths/usenix.pdf</a><br></div><div><br></div><div>CapTP specifically supported "SturdyRefs" which are opaque (sealed) in distributed contexts:</div><div><br></div><div><a href="http://erights.org/elib/distrib/captp/SturdyRef.html" target="_blank">http://erights.org/elib/distrib/captp/SturdyRef.html</a><br></div><div><br></div><div>Macaroons specifically support "contextual confinement" that can bind them to mechanisms like TLS channel ID so they aren't transferrable.</div><div><br></div><div>Also there's a new IETF working group dedicated to confining bearer tokens:</div><div><br></div><div><a href="https://datatracker.ietf.org/wg/tokbind/charter/">https://datatracker.ietf.org/wg/tokbind/charter/</a><br></div><div><br></div></div>-- <br><div>Tony Arcieri<br></div>
</div></div>