[Cryptography] Do capabilities work? Do ACLs work?

Tony Arcieri bascule at gmail.com
Wed Feb 11 14:06:00 EST 2015


On Wed, Feb 11, 2015 at 10:03 AM, Nico Williams <nico at cryptonector.com>
wrote:

> Well, but capability tokens can be passed around, no?


It depends!


> Impersonation happens to be a common mechanism.  So now we need to express
> policy
> about who can be given authorization to do any particular thing to any
> particular resource, and this begins to resemble ACLs.  And/or you can
> audit the state of a running system (which is difficult).


Revocability and confinement are two popular topics with capabilities, and
yes, there are many solutions (especially with Macaroons). I suggest
reading Mark Miller's paper "Capability Myths Demolished":

http://zesty.ca/capmyths/usenix.pdf

CapTP specifically supported "SturdyRefs" which are opaque (sealed) in
distributed contexts:

http://erights.org/elib/distrib/captp/SturdyRef.html

Macaroons specifically support "contextual confinement" that can bind them
to mechanisms like TLS channel ID so they aren't transferrable.

Also there's a new IETF working group dedicated to confining bearer tokens:

https://datatracker.ietf.org/wg/tokbind/charter/

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150211/c0a97398/attachment.html>


More information about the cryptography mailing list