[Cryptography] Do capabilities work? Do ACLs work?
Bill Frantz
frantz at pwpconsult.com
Tue Feb 10 19:08:48 EST 2015
On 2/10/15 at 2:49 PM, leichter at lrw.com (Jerry Leichter) wrote:
>There's a more fundamental issue here: As engineers, we try to
>formalize everything. But many human processes are not
>amenable to formalization. They involve tons of assumptions
>about the way we interact. If Bob doesn't drive directly to
>Dave's but takes a 10-mile detour to get lunch, most people
>would say that was well within the access Alice granted. If he
>takes it on a 500-mile drive, because he always wanted to tour
>in a Porsche, clearly not. If Bob brings along his friend Sam,
>that's fine. If
>Bob happens to be an Uber driver and takes along a paying passenger ... not so much.
>
>The whole issue of authorization and who owes what to whom gets
>to questions that legal systems have been trying to deal with
>for thousands of years. They have limited formalizations, but
>still needed judges and juries to deal with the edge cases.
We shouldn't ask our computer systems to make these judgements
any more than we ask our car keys to make them. What we can ask
our computer systems to do is to track the responsibility for
how the authorization was obtained and how it was used. Note
that when our computer systems can keep these audit trails, they
are doing better that our car keys.
...
>Imagine a world in which your car would not let you violate any
>traffic law. Do you think that would be workable?
Well, it seems to me that is what we have in our computer
systems. They don't let people adapt the policies on the fly
with an audit trail, which would be a lot better for most
businesses. Just imagine, "No Mr. CEO, we can't give you
legitimate access to that file so you can prepare your report to
board tomorrow. The sysadmin has gone home. But here, use my account."
>... In some ways, capabilities are *worse* - without
>significant help from the system, the kinds of questions we
>regularly ask - who could have read the file? - cannot be
>answered. We as human beings are really bad at following
>chains of relationships.
Using capabilities to track the chain of responsibility is a
good way of tracking the chain of authority. See Miller,
Donnelley, and Karp, "Delegating Responsibility in Digital Systems:
Horton’s “Who Done It?”"
<https://www.usenix.org/legacy/event/hotsec07/tech/full_papers/miller/miller.pdf>.
The basic idea is to build a new capability to the object being
audited tagged with the identity of the object getting the
authority and pass that new capability to the second object.
This pattern is an example of using capability patterns. Note
that here you can get the entire delegation chain at the level
of identified objects. Getting that kind of information from ACL
systems is, at best, much harder.
>... Stuff was controlled at a broad level, with dual controls
>for particularly valuable assets and - returning to the message
>to which I'm responding - auditing to catch violations. That's
>a much better model than what we typically try to build these days.
I think we're on the same page.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | I like the farmers' market | Periwinkle
(408)356-8506 | because I can get fruits and | 16345
Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos,
CA 95032
More information about the cryptography
mailing list