[Cryptography] Do capabilities work? Do ACLs work?

Bill Frantz frantz at pwpconsult.com
Tue Feb 10 19:08:48 EST 2015


On 2/10/15 at 2:49 PM, leichter at lrw.com (Jerry Leichter) wrote:

>There's a more fundamental issue here:  As engineers, we try to 
>formalize everything.  But many human processes are not 
>amenable to formalization.  They involve tons of assumptions 
>about the way we interact.  If Bob doesn't drive directly to 
>Dave's but takes a 10-mile detour to get lunch, most people 
>would say that was well within the access Alice granted.  If he 
>takes it on a 500-mile drive, because he always wanted to tour 
>in a Porsche, clearly not.  If Bob brings along his friend Sam, 
>that's fine.  If
>Bob happens to be an Uber driver and takes along a paying passenger ... not so much.
>
>The whole issue of authorization and who owes what to whom gets 
>to questions that legal systems have been trying to deal with 
>for thousands of years.  They have limited formalizations, but 
>still needed judges and juries to deal with the edge cases.

We shouldn't ask our computer systems to make these judgements 
any more than we ask our car keys to make them. What we can ask 
our computer systems to do is to track the responsibility for 
how the authorization was obtained and how it was used. Note 
that when our computer systems can keep these audit trails, they 
are doing better that our car keys.

...

>Imagine a world in which your car would not let you violate any 
>traffic law.  Do you think that would be workable?

Well, it seems to me that is what we have in our computer 
systems. They don't let people adapt the policies on the fly 
with an audit trail, which would be a lot better for most 
businesses. Just imagine, "No Mr. CEO, we can't give you 
legitimate access to that file so you can prepare your report to 
board tomorrow. The sysadmin has gone home. But here, use my account."


>... In some ways, capabilities are *worse* - without 
>significant help from the system, the kinds of questions we 
>regularly ask - who could have read the file? - cannot be 
>answered.  We as human beings are really bad at following 
>chains of relationships.

Using capabilities to track the chain of responsibility is a 
good way of tracking the chain of authority. See Miller, 
Donnelley, and Karp, "Delegating Responsibility in Digital Systems:
Horton’s “Who Done It?”" 
<https://www.usenix.org/legacy/event/hotsec07/tech/full_papers/miller/miller.pdf>. 
The basic idea is to build a new capability to the object being 
audited tagged with the identity of the object getting the 
authority and pass that new capability to the second object. 
This pattern is an example of using capability patterns. Note 
that here you can get the entire delegation chain at the level 
of identified objects. Getting that kind of information from ACL 
systems is, at best, much harder.


>... Stuff was controlled at a broad level, with dual controls 
>for particularly valuable assets and - returning to the message 
>to which I'm responding - auditing to catch violations.  That's 
>a much better model than what we typically try to build these days.

I think we're on the same page.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | I like the farmers' market   | Periwinkle
(408)356-8506      | because I can get fruits and | 16345 
Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos, 
CA 95032



More information about the cryptography mailing list