[Cryptography] Do capabilities work? Do ACLs work?

Tony Arcieri bascule at gmail.com
Tue Feb 10 22:35:05 EST 2015 

On Tue, Feb 10, 2015 at 2:49 PM, Jerry Leichter <leichter at lrw.com> wrote:

> Yes, we need more powerful ways to describe policies (and, more generally,
> business practices).  Yes, even more, we need ways to make the policies and
> practices we formalize comprehensible to and manipulable by human beings in
> a useful way.  (I can guarantee you that any organization that uses more
> than a couple of trivial ACL's cannot answer pretty simple questions about
> who has access to what resources.  In some ways, capabilities are *worse* -
> without significant help from the system, the kinds of questions we
> regularly ask - who could have read the file? - cannot be answered.  We as
> human beings are really bad at following chains of relationships.  This
> shows up for ACL's when you start nesting them - or worrying about what
> someone with Control access might be able to do.  For capabilities,
> "portability" is exactly the point, so you hit this much sooner and much
> more pervasively.)


As someone who reasons about ambient authority systems all day, they're
terrible. Exactly as you describe, you end up following chains of nested
relationships, and they come at you from two directions:

- The person: what groups do they belong to?
- The resource: what groups are allowed to do what?

>From this we end up with many-to-many relationships between people and
resources with nested ACLs as the indirection mechanism, and if there is
any path through this graph we can follow which connects the two, the
action is authorized. This makes reasoning about authority in complex
systems extremely complicated, to the point that people start building
logic languages to describe constraints around what sort of connections in
these sorts of access control graphs are allowable by policy.

In a properly designed capability system, you should simply be able to ask
what authority a given user has over a given resource. If they have the
capability they have it. If they don't they don't. The entire messy
indirection of ambient authority systems is eliminated.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150210/427ff757/attachment.html>

More information about the cryptography mailing list