[Cryptography] Do capabilities work? Do ACLs work?
Nico Williams
nico at cryptonector.com
Wed Feb 11 13:03:55 EST 2015
On Tue, Feb 10, 2015 at 07:35:05PM -0800, Tony Arcieri wrote:
> As someone who reasons about ambient authority systems all day, they're
> terrible. Exactly as you describe, you end up following chains of nested
> relationships, and they come at you from two directions:
>
> - The person: what groups do they belong to?
> - The resource: what groups are allowed to do what?
>
> From this we end up with many-to-many relationships between people and
> resources with nested ACLs as the indirection mechanism, and if there is
> any path through this graph we can follow which connects the two, the
> action is authorized. This makes reasoning about authority in complex
> systems extremely complicated, to the point that people start building
> logic languages to describe constraints around what sort of connections in
> these sorts of access control graphs are allowable by policy.
Yes, this is a problem. Authorization information has to be possible to
aggregate in semantically meaningful ways to be useful for answering
meaningful questions such as "what can this employee do?".
This tends to argue for adding coarse-grained authorization (without
removing fine-grained authorization).
Transitivity isn't the problem so much as that traditional ACLs and user
grouping mechanism don't express semantics of interest such as "this is
a group of direct reports for some team/sub-team" and "delegate granting
authority to team X manager(s)". That and the aggregation problem
mentioned above.
> In a properly designed capability system, you should simply be able to ask
> what authority a given user has over a given resource. If they have the
> capability they have it. If they don't they don't. The entire messy
> indirection of ambient authority systems is eliminated.
Well, but capability tokens can be passed around, no? Impersonation
happens to be a common mechanism. So now we need to express policy
about who can be given authorization to do any particular thing to any
particular resource, and this begins to resemble ACLs. And/or you can
audit the state of a running system (which is difficult).
Nico
--
More information about the cryptography
mailing list