First Three Charts (#2 - #4) from Horton Presentation at Usenix
HotSec
Alice
Alice
Doc Chapters:
Chapter 1…
Chapter 1…
BobAlice
Communicating Object Access with Delegation
Initial Conditions:
Alice has: 1. A capability to send to Bob and 2. A capability to a document with chapters.
Doc Chapters:
Chapter 1…
BobAlice
Alice
Capability Communication of the Document Reference
Alice
here’s( )
Chapter 1…
Alice sends a message to Bob containinga reference to the document.
Alice
Alice
Doc Chapters:
Chapter 1…
Chapter 1…
BobAlice
Alice-
>Bob
Alice can’t act with Bob’s responsibilityBob can’t act with Alice’s responsibility
Horton Magic: Bob Receives a Delegated Capability
Remaining Charts not presented during the Horton Presentation at
Usenix HotSec (Too rough, detailed, and inappropriate)
CapDoc:Communicate Capabilities with Responsibility Delegation and
control
The Web: Good, Bad, and Ugly:
1. Good: Internet hypertext, wonderful!
2. Bad: Username/passwords for every site that has any sort of access control.
3. Ugly: Hard to share limited access to network objects. Hard to combine network objects with access restrictions.
Sends:BobSendEveSendIvanSend
Alice’s Domain
CapWikiFinances:InvestorMarket
Ali ce’s
Alice’s Domain
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Sends:BobSendEveSendIvanSend
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Ali ce’s
Receives:AliceReceive
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Sends:BobSendEveSendIvanSend
CapWiki:CapWiki Stuff:ConceptsFinancesOther Sends:
AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Ali ce’s
Receives:*AliceReceive
Sends:BobSendEveSendIvanSend
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Ali ce’ s
Alice BobSends:BobSendEveSendIvanSend
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Ali ce’ s
Alice Bob
Alice Bob
Sends:BobSendEveSendIvanSend
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Ali ce’ s
Here are theCapWiki:FinancesDave
Receives:BobReceiveDaves’s Domain
Bo b’s
Sends:BobSendEveSendIvanSend
Alice Bob
Alice Bob
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Ali ce’ s
Here are theCapWiki:FinancesDave
Receives:* BobReceiveDaves’s Domain
Bo b’s
Sends:BobSendEveSendIvanSend
Alice’s Domain Bob’s Domain
Alice Bob
Alice Bob
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Ali ce’ s
Here are theCapWiki:FinancesDave
Receives:BobReceive
Bo b’s
Bob D
ave
Sends:BobSendEveSendIvanSend
Daves’s Domain
Alice’s Domain Bob’s Domain
Alice Bob
Alice Bob
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:*AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Ali ce’ s
Here are theCapWiki:FinancesDave
Receives:BobReceive
Bo b’s
Bob D
ave
Alice Bob Dave
Sends:BobSendEveSendIvanSend
Alice’s Domain Bob’s Domain
Daves’s Domain
Alice Bob
Alice Bob
Better Web Access Control• No more passwords – Send a <me>Send to a
<service>Send. They know who you are, you know who they are.
• Side benefit – SPAM resistance for capability enabled messages. Don’t like a source of SPAM, cut it off to any delegation level.
• Principle Of Least Authority (POLA) sharing that can facilitate cross site services.
• One concern (David Wagner) – unfamiliar authority sharing mechanism – may result in inappropriate granting of authority.
Top Related