[Cryptography] Do capabilities work? Do ACLs work?
Ben Laurie
ben at links.org
Sun Feb 15 13:35:19 EST 2015
On 10 February 2015 at 12:52, ianG <iang at iang.org> wrote:
> On 10/02/2015 04:59 am, Ben Laurie wrote:
>
>> As Bill points out, this is exactly the point of capability systems (he
>> didn't say it, but it is what he meant). A long time ago we had a choice
>> between ACLs and capabilities, and we chose the wrong thing.
>>
>> Capability systems do exist, but we also have a lot of ACL-based
>> engineering to fix in order to properly use them.
>
>
>
> Having watched/worked with capability ideas for a while, I'm of the opinion
> they don't work as well in practice as the theoretical pundits would have
> it.
>
> Also, the users continue to demand ACLs.
>
> So my current view is that what is needed is a hybrid. At a limited sense
> one can see this with expiries: a cap with a time limit on it is a cap with
> a "control" on it.
>
> In a more developed sense, my software has lots of caps running around, but
> servers that serve those caps also look at who's asking. E.g., when Bob
> looks at Alice's photo, the server only grants it if Bob is in Alice's A
> list.
>
> This certainly makes for more complicated software. But when the judge
> asks, it's much easier to say "only Bob could have seen the photo" than
> anyone with a cap...
Tut tut - no threat model?
When you say "work" my immediate question is: for what?
You talk about access to photos. I suspect you are right (having had
this debate many times) that users (think they) want ACLs. But they
are not without their problems when you start thinking about more
complex artefacts. For example, what about a document that includes
(by reference) a photo. ACLs become annoying/difficult to understand -
now some people can see the photo and some can't. Or when I change the
doc ACL do I mean to change the photo ACL, too? Probably not (consider
removing someone's access from the doc who previously had access to
the photo, for example). Capabilities may not be as easy to understand
for this case, but perhaps they work better.
But how about the other use of ACLs, namely on my own computer. In
this setting ACLs make no sense at all - there is only one user: me.
What I really want from the system, whatever it is, is to protect me
from all the evil s/w I am running. ACLs are a pretty poor fit for
that purpose, and in many cases caps + designation-is-authorisation
make far more sense and are much easier to deal with.
The latter case strikes me as far more clear-cut than the former.
Plus, as someone said earlier, Macaroons, which combine identification
and delegation with traditional cap ideas, may be the best of both
worlds.
>
>
>
> iang
>
> ps; a capability in the sense I mean above is implemented by an object which
> is hashed canonically and stored somewhere on the net. If you have the
> hash, you can ask the store to reveal it.
This is one way to implement capabilities for one possible use of
them, but hardly comprehensive.
More information about the cryptography
mailing list