[Cryptography] Capability Myths Demolished was: Do capabilities work? Do ACLs work?

Rob Meijer pibara at gmail.com
Mon Feb 16 05:49:48 EST 2015 

2015-02-16 7:22 GMT+01:00 Peter Gutmann <pgut001 at cs.auckland.ac.nz>:

> As a general reply to this (I was trying to avoid turning it into a long
> thread since it's probably not worth going into lots of detail on), I read
> the
> "Capability Myths Demolished" paper some years ago and compared it to a
> (hypothetical) "X.509 Myths Demolished" [0], or from the non-IT world,
> "Monorail Myths Demolised", "Communism Myths Demolished", "CDO Myths
> Demolished" [1], and so on: if you pick your examples very carefully and
> propose theoretical solutions that don't necessarily have to work in
> practice
> (or, even worse, that have been shown not to work when deployed in the real
> world) then you can "demolish" all sorts of "myths".
>
> Peter.
>

​I found that the greatest problem with conceptions about capabilities, is
not in fact due to myths
surrounding capabilities or even myths surrounding ACL's. The ​greatest
problem with conceptions about capabilities comes from the fact that with
capabilities its obvious that particular unenforceable policies can not be
enforced, while ACL's can give the appearance of being able to enforce
policies that are in fact unenforceable.  So basically, if there are myths
that need to be demolished, it should probably be myths about what can and
what can't be theoretically enforced, independent of the whole
ACL/Capability divide.

Its pretty clear that ACL's can 'express' things that capabilities can't.
Its also pretty clear that ACL's can express things they can not enforce.
What isn't clear is the size or the form of intersection of policies that:


A)
* Can not be expressed with capabilities.
* Can be enforced by ACLs.
* Have more than theoretical utility.

And in contrast, the  size or the form of intersection of policies that:

B)
* Can be expressed by ACLs.
* Can not actually be enforced by ACL's
* Would have real utility if they could.

And finally we have the union of intersections of policies that:

C)
1)  * Can be expressed with capabilities
     * Can not use central administration mandated by  use of ACL's due to
possible conflicting interest.
     * Have more than theoretical utility.
2) * Can be expressed with capabilities
    * Are so fine grained that use of ACL's would at best be impractical.
    * Have more than theoretical utility.

When I started out looking at capabilities, my expectation was that:

* A would be rather big
* B would be virtually zero
* C frankly never crossed my mind

Now after about a decade of trying to use capabilities in real systems, I'm
at the point that my expectations have changed to:

* A is not very big and for anything consumer related its probably zero.
* B is rather big and is a super-set of of the set containing all policies
that state 'do not delegate' at any level.
* C in the light of current day malware threats and mesh-up realities is
actually bigger and more relevant than its inverse.

But whatever view is (most) correct, its clear that myths that should be
addressed should first and foremost be those that being able to 'express'
something that for example would solve the CC problem , does in any way
actually solve the CC problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150216/4eb1e875/attachment.html>

More information about the cryptography mailing list