There are several models of rights out there - nyms, capabilities, bearer, account. One observation that has been made by Jeroen van Gelderen is that nyms (especially, SOX) as a model is a case of capabilities. What that means, beyond the superficial, has always been up in the air. The somewhat presumption was that SOX is a subset, or implementation of capabilities. Or, that SOX is capabilities hard-coded, whereas E, by contrast, is capabilities in the language.
The capabilities people (them) and the nym people (us) haven't really seen eye to eye on the lucidity of each other's documentation, so distance remained. Now, Jed Donnelley has broken ranks and cast his view of a definition of an Internet capability model.
With such a definition in hand, it's now possible to compare SOX, and any other nymous system, against the capabilities model. Best case, we'll show the original observation was right, and we can get on with the life of us and them. Worst case, we'll show it as being wrong, and we'll be forced to write our own definition.
That, I'll defer. For now, here's Jed's definition :
-------- Original Message --------
Subject: [cap-talk] Re: "capabilities" as data vs. as descriptors - OS security discussion, restricted access processes, etc.
Date: Thu, 29 Apr 2004
From: Jed Donnelley <firstname.lastname@example.org>
1. Definition of what you might call an Internet capability model. This
could be something along the lines of:
though I think modern encryption technology would suggest a
rework. The basic idea would be to define a protocol for sending
blocks of bits that:
a. Can securely represent the right to do anything that a service
(server) process might chose to make available.
b. Can be communicated securely - hopefully without contacting
the service process except of course when it is the source or
destination of the rights communication directly.
c. Is safe from evesdropping. That is, the form that the capability takes
when it's in, say, a processes memory space or in an email message,
cannot be used by any entity other than the owner of the memory
space (a process) or the email (presumably a person).
d. Extra points for including a rights reduction mechanism that doesn't
require permission from the server.
[another big snip]
Can we agree on that much?
cap-talk mailing list